from the the-gift-that-keeps-on-giving dept.
Ars Technica reports that four weeks after its disclosure huge swaths of the Internet remain vulnerable to Heartbleed. The article suggests that over 300,000 servers remain vulnerable.
What steps have you taken to protect yourself from this bug? What browser addons have you installed? Have you checked/updated the firmware on your home router? If you work in IT, what has the reaction been? Has your site been compromised? Has vulnerable code been updated, new keys genned, new certificates obtained, and old ones revoked?
Since the OpenSSL library is now undergoing a security review and a fork of it is underway as LibreSSL, it is possible that other vulnerabilities will be discovered. Then what? How likely is it that we will need to repeat this cleanup effort?
(more after the break)
The Heartbleed bug "is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet." The bug affects not only computer servers, but also routers and even some Android phones, too. Even software like LibreOffice, WinSCP, and FileMaker have versions with the bug and need to be updated. The history, behavior, and impact of this bug are well-explained and summarized on Wikipedia. Therein is this recommendation:
Although patching software (the OpenSSL library and any statically linked binaries) fixes the bug, running software will continue to use its in-memory OpenSSL code with the bug until each application is shut down and restarted, so that the patched code can be loaded. Further, in order to regain privacy and secrecy, all private or secret data must be replaced, since it is not possible to know if they were compromised while the vulnerable code was in use:
- all possibly compromised private key-public key pairs must be regenerated,
- all certificates linked to those possibly compromised key pairs need to be revoked and replaced, and
- all passwords on the possibly compromised servers need to be changed.
SN's coverage of this vulnerability includes:
An advisory (link: https://www.openssl.org/news/secadv_20140407.txt ) has been released concerning an implementation bug in several versions of the widely used OpenSSL software.
"A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1."
The advisory states that 1.0.1 users can resolve the issue by upgrading to 1.0.1g or recompiling using the -DOPENSSL_NO_HEARTBEATS switch. Users of 1.0.2 will need to wait for the next beta release to get this closed.
This website (link: http://heartbleed.com/ ) has been created to spread accurate details of the bug, which was determined to have been seen in releases of OpenSSL dating back to December 2011. Many websites and services are affected, including Mojang's decision to completely shut down the account authentication servers for Minecraft while the patch is being put in place.
After reporting the problems with OpenSSL, which has been nicknamed 'HeartBleed', 2 contributors have forward articles on why you should change your passwords.
Heartbleed, and why you should change your password
I always believed Mojang would keep my details safe, now I realise they are not in control of their own data. Mojang/Minecraft passwords should be changed immediately
Heartbleed Bug: Change All Your Passwords
Bruce Schneier calls it "catastrophic", giving this advice to sysadmins: "After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected." He also links to a webpage that will let you test servers for the bug, and an article on Ars Technica discussing the bug.
The EFF has called on admins to check any historical packet capture logs for evidence of Heartbleed attacks in 2013 and earlier. They examined reports from Ars Technica of people coming forward with logs potentially showing in-the-wild Heartbleed attacks long before the recent public disclosure. Perhaps most intersting-
[the] logs had been stored on magnetic tape in a vault. The source IP addresses for the attack were 126.96.36.199 and 188.8.131.52. Interestingly, those two IP addresses appear to be part of a larger botnet that has been systematically attempting to record most or all of the conversations on Freenode and a number of other IRC networks. This is an activity that makes a little more sense for intelligence agencies than for commercial or lifestyle malware developers.
Coincidentally, a few hours prior to this news, I was lamenting here in comments how disinformative the mainstream reporting was when it made claims that "what makes it even worse is the heartbleed attack leaves no trace". Of course it leaves a trace- perhaps not in stock os/webserver log files, but remote attackers always have to carry the attack out via networks, which can notice and/or log the traffic if they take the trouble to. Not to put too fine a point on it, but the same thing is also relevant to the recent slashcode issue with portscans. It may be exhausting work inspecting packet capture logs, but if you make a habit of not doing it, you should be prepared to find some gremlins when you finally get around to it.
By now even Joe Average has heard about Heartbleed, and possibly even was told something accurate.
Well and good, but there's one thing missing: how does Joe know that it's time to change all of his passwords? The Register sums things up thusly:
But to fully clean up the problem, admins of at-risk servers should generate new public-private key pairs, destroy their session cookies, and update their SSL certificates before telling users to change every potentially compromised password on the vulnerable systems.
I have logins and passwords on probably 50 to 75 sites. To date not one has e-mailed me to say "Hey, it's all fixed, change your password!" Likewise none of them seems to have posted a similar notice on their log-in page. Does anyone else feel like they're left hanging?
"Anything that speaks TLS using OpenSSL is potentially vulnerable, but there are two main classes of client apps that are worth mentioning:
- Traditional clients are things like web browsers, apps that use HTTP APIs [snip]
- Open agents are clients that can be driven by an attacker but don't reside on an attacker's machine. If you can direct some remote application to fetch a URL on your behalf, then you could theoretically attack that application. The web is full of applications that accept URLs and do something with them; any of these have the potential to be vulnerable [snip]"
The main conclusion so far is that one has to purge all flawed versions of OpenSSL from all computers: server or client makes no real difference, firewalls make no real difference either as the bug now works both inbound and outbound.
There is also a Reverse Heartbleed Tester.
It's often said that "you get what you pay for", but when it comes to free software, this doesn't apply. You often get a lot more. However, you do get what someone pays for. Software development takes time and money, and without substantial donations, sponsorship, etc., a free-software project will be limited to what volunteers can achieve in their own time.
According to an article in Ars Technica, the security software OpenSSL has one full-time employee and receives about $2000 a year in donations. It's therefore not surprising that bugs aren't always caught before they cause problems.