The recent security scare over the Heartbleed bug should send shivers down the spines of most small businesses. Several tech firms encouraged people to change all their online passwords in light of the Heartbleed bug. This small vulnerability has potentially compromised two-thirds of all websites.
Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability results from a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension, the heartbeat being behind the bug’s name. A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
According to Mark J. Cox of OpenSSL, Neel Mehta of Google’s security team reported Heartbleed on April 1, 2014. The bug entailed a severe memory handling error in the implementation of the Transport Layer Security Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application’s memory with every heartbeat.
The bug was named by an engineer at the firm Codenomicon, a Finnish cybersecurity company, which also created the bleeding heart logo, and launched the domain Heartbleed.com to explain the bug to the public. According to Codenomicon, Neel Mehta first reported the bug to OpenSSL, but both Google and Codenomicon discovered it independently. Codenomicon reports April 3 as their date of discovery of the bug and as their date of notification of NCSC-FI (formerly known as CERT-FI) for vulnerability coordination. Mehta also congratulated Codenomicon, without going into detail.
The Sydney Morning Herald published a timeline of the discovery on April 15, which shows that some of the organizations were able to patch against the bug before its public disclosure. In some cases, it is not clear how they found out.
What is the CVE-2014-0160?
CVE-2014-0160 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE. Due to co-incident discovery a duplicate CVE, CVE-2014-0346, which was assigned to us, should not be used, since others independently went public with the CVE-2014-0160 identifier.
The Canada Revenue Agency reported the theft of Social Insurance Numbers belonging to 900 taxpayers, and stated that they were accessed through an exploit of the bug during a 6-hour period on April 8. When the attack was discovered, the agency shut down its web site and extended the taxpayer filing deadline from April 30 to May 5. The agency said it will provide anyone affected with credit protection services at no cost. On April 16, the RCMP announced they had charged an engineering student in relation to the theft with “unauthorized use of a computer” and “mischief in relation to data”.
In another incident, the UK parenting site Mumsnet had several user accounts hijacked, and its CEO was impersonated. The site published an explanation of the incident.
On April 12, at least two independent researchers were able to steal private keys using this attack from an experimental server intentionally set up for that purpose by CloudFlare.
It was reported by a professor at University of Michigan that a computer in China that had been used for hacking and other malicious activities attempted on April 16, 2014 to exploit Heartbleed to attack a university server, which was actually a honeypot intentionally left vulnerable, designed to attract attacks which could then be studied.
Small firms need to protect their data against viruses, malware and natural disasters, as well as disgruntled or careless employees.