Are you ready for the next massive vulnerability? It’s called Heartbleed and it could give hackers access to user passwords and even trick people into using fake versions of popular Web sites. Some are even reporting Yahoo passwords are being revealed.
According to the security engineers at Codenomicon who found the bug, the vulnerability is in the OpenSSL cryptographic software library. The weakness, they said, steals information typically protected by the SSL/TLS encryption used to secure the Internet.
Computer science student Mustafa Al-Bassam (formerly of the LulzSec hacker collective) has compiled a list of Web sites affected by the bug, which include Yahoo, Flickr, OKCupid, US Magazine, and Squidoo.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” according to the Web site dedicated to providing information about the bug. “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Blind Spot Revealed
We caught up with Dwayne Melancon, chief technology officer at Tripwire, to get his take on the Heartbleed bug. He told us one of the challenges with third-party source code is that there is often the assumption that it is secure because it is “open” and easily reviewed by developers at large.
“This isn’t always the case, as Heartbleed illustrates. The issue isn’t because OpenSSL is open source,” Melancon said. “Just recently, we saw another long-present security flaw in Apple’s source code that had been there for a very long time, and it was commercially developed and tested.”
Fundamentally, he explained, security is not a simple proposition and any conventional approach to testing security can have blind spots due to flawed assumptions, insufficient expertise, or issues that arise once one piece of technology is integrated with another. He said, “This is why security teams often turn to ‘white hat’ hackers to help them test their technology for weaknesses.”
We also turned to Ken Westin, a security researcher at Tripwire, to get his thoughts on the latest security headline. He told us OpenSSL runs on top of two of the most widely used Web servers: Apache and nginx. He pointed out that it also runs on e-mail servers and chat services, VPN and other software that use the code library.
“Many devices that use embedded Linux including routers and other devices may also be susceptible,” Westin said. “Attackers who exploit the vulnerability can monitor all data passing between a service and client, or decrypt historical encrypted data that has been collected.”
He left us with a warning: Many modern operating systems use vulnerable versions of Open SSL including Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.