What is it?
In short it is a security bug in the OpenSSL cryptographic software library. Specifically, a simple logic error in the extension. This bug allow any attacker to obtain sensitive information from the server, given that they have time and some level of luck. These sensitive information include e-mail address, ID and password of clients, server’s master password, even decryption key of the server. The list goes on.
How did it happened?
It was a simple logic error in an extension, HeatBeat used to keep the connection between server and client alive without needing to reestablish the connection, written by a Ph.D. student in 2011. The extension was then reviewed by one of the four core developer of OpenSSL. The flaw however was overlooked and the extension was implemented to later official releases. By default, the extension is enabled thus the bug is present by default.
Who got effected?
Any client that have servers that used OpenSSL version ranged from ONLY 1.0.1 to 1.0.1f. Why only between these number? Because before 1.0.1 the extension wasn’t present and after 1.0.1.f the bug was patched. This means that many giant website, companies that were using these version might have their sensitive information stolen without any warning at all. This means that YOUR id and password might have been stolen!
What was the damage?
The bug was already there for 2 years without anyone publicly disclose it which can indicate that many company have been attacked over the course of 2 years. Leading to many account being access by the attackers and messed with. Maybe the bank are hacked without them knowing. Even more alarming is that the attackers are NOT traceable. The attack this bug enable is silent and leaves no trace. Recovering from it will take sometime.
How to prevent it or recover from it?
Servers can be prevent heartbleed from happening any further by applying the latest OpenSSL security patch and users should change their password. However you must ensure that the server have already applied the patch or else the server can still be attacked. There are many vulnerability test services out there that can check for such bug. Using them can find out whether your server is safe or not.
What did you learn from it?
I learnt that even a simple logic error in programming can lead to a global problem. And having an open source program can have more people to review the code and find the bug or flaw in it preventing any bug or flaw that can happen to be overlooked.
Sources
- "What Exactly Is The Coding Error That Is Responsible For The Heartbleed Bug In OpenSSL?." Forbes. Forbes Magazine, 17 Apr. 2014. Web. 22 Apr. 2014. <http://www.forbes.com/sites/quora/2014/04/17/what-exactly-is-the-coding-error-that-is-responsible-for-the-heartbleed-bug-in-openssl/>.
- Paul, Ian. "VPN provider proves OpenVPN private keys at risk from Heartbleed bug | PCWorld." PCWorld. N.p., 17 Apr. 2014. Web. 22 Apr. 2014. <http://www.pcworld.com/article/2144962/vpn-provider-proves-openvpn-private-keys-at-risk-from-heartbleed-bug.html>.
- Pachal, Pete. "The Programmer Behind Heartbleed Speaks Out: It Was an Accident." Mashable. N.p., 11 Apr. 2014. Web. 22 Apr. 2014. <http://mashable.com/2014/04/10/heartbleed-programmer/>.
- Hesseldahl, Arik. "The Heartbleed Bug Is Mostly Fixed, but Not Entirely." Recode. N.p., 18 Apr. 2014. Web. 22 Apr. 2014. <http://recode.net/2014/04/18/the-heartbleed-bug-is-mostly-fixed-but-not-entirely/>.
- "Heartbleed is Scarily Easy to Exploit."PCMAG. N.p., n.d. Web. 22 Apr. 2014. <http://securitywatch.pcmag.com/security/322691-heartbleed-is-scarily-easy-to-exploit>.
- "The Heartbleed Bug." Heartbleed Bug. N.p., n.d. Web. 22 Apr. 2014. <http://heartbleed.com/>.
- Zetter, Kim. "Heartbleed Bug Sends Bandwidth Costs Skyrocketing | Threat Level | WIRED." Wired.com. Conde Nast Digital, 14 Apr. 2015. Web. 22 Apr. 2014. <http://www.wired.com/2014/04/cost-of-heartbleed/>.
- "Heartbleed." Wikipedia. Wikimedia Foundation, 22 Apr. 2014. Web. 22 Apr. 2014. <http://en.wikipedia.org/wiki/Heartbleed>
This article is a homework assignment by Mr.Pete
No comments:
Post a Comment