09 April 2014

Change all your online passwords!

This is it, folks. This is the hack, the security breach, the vulnerability that you've all been expecting...and dreading. The Big One. Armageddon is now.

Okay, so perhaps I'm exaggerating, but security experts are hollering loudly about CVE-2014-0160, also known as the Heartbleed Bug. I think we should listen. Here's a compendium of highlights I've gathered from a bit of googling early today.

Executive Summary

If you're not a techie and/or you can't be bothered with reading all the mumbo-jumbo, here's the bottom line: 

You should seriously consider changing all your online passwords. 

But you may want to wait to change some of them, in case the website/online service for the password you're changing has not upgraded their servers to patch this vulnerability. Or, better yet, change your passwords now and then change them again in the near future. It's never a bad idea to change a password.

If you are a techie or a server administrator, read on.

The "Heartbleed Bug"

An alarming lapse in Internet security has exposed millions of passwords, credit card numbers and other sensitive bits of information to potential theft by computer hackers who may have been secretly exploiting the problem before its discovery. Security researchers who uncovered the threat, known as "Heartbleed," are particularly worried about the breach because it went undetected for more than two years. [2]
Dubbed the Heart Bleed Bug, the flaw was jointly discovered by a team of security engineers at Codenomicon and Neel Mehta of Google Security. [3]
Security vulnerabilities come and go, but this one is extremely serious. Not only does it require significant change at Web sites, it could require anybody who's used them to change passwords too, because they could have been intercepted. That's a big problem as more and more of people's lives move online, with passwords recycled from one site to the next and people not always going through the hassles of changing them. [1]
Yahoo Inc., which boasts more than 800 million users worldwide, is among the Internet services that could be potentially hurt by Heartbleed. The Sunnyvale, Calif., company said most of its most popular services — including sports, finance and Tumblr — had been fixed, but work was still being done on other products that it didn't identify in a statement Tuesday. [2]
"Heartbleed is massive. Check your OpenSSL!" tweeted Nginx in a warning Tuesday. [1]
But the larger problem is that many SSL certificates could be compromised now, as the secret key that protects a given certificate could be disclosed in an attack on this vulnerability. The process of revoking and reissuing those certificates could go on for a long time, depending upon how many organizations realize their sites are vulnerable and how quickly they respond. [5
“It’s a nightmare vulnerability, since it potentially leaks your long term secret key — the one that corresponds with your server certificate. Worse, there’s no way to tell if you’ve been exploited. That means the prudent thing to do now is revoke your certificate and get a new one. We’ll see how many people do that,” said cryptographer Matthew Green, a professor at Johns Hopkins University. [5]

Excuse me? "The Main FBI site?" 

Some high-profile sites, including Yahoo Mail, Lastpass, the OpenSSL site and the main FBI site have been confirmed to leak certain information via the bug. There also is a proof-of-concept exploit for the flaw posted on Github. Lastpass officials said that they patched the vulnerability Tuesday morning, and that user data was never at risk. The company was running a vulnerable version of OpenSSL, but had other security measures in place that mitigated the risk. [5] (See more on LastPass below.)
It's puzzling that such a fuss is being made about Yahoo and LastPass, but the fact that the main FBI site has been breached by this vulnerability is mentioned almost as a footnote. One would have expected the headlines to read "FBI Website Breached by Hackers!" Sigh.
Chartier and other computer security experts are advising people to consider changing all their online passwords. "I would change every password everywhere because it's possible something was sniffed out," said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. "You don't know because an attack wouldn't have left a distinct footprint." [2
But maybe changing passwords won't help. See Change Your Passwords below.

A tool by Filippo Valsorda to test for Heartbeed vulnerability (see How to Detect a Heartbleed below) showed that "Google, Microsoft, Twitter, Facebook, Dropbox, and several other major Web sites to be unaffected -- but not Yahoo. Other Web sites shown as vulnerable by Valsorda's tool include Imgur, OKCupid, and Eventbrite." [1]

The Good News

Older servers/systems are safer, ironically.
The severity of the problem is lower for Web sites and others that implemented a feature called perfect forward secrecy, which changes security keys so that past and future traffic can't be decrypted even when a particular security key is obtained. Although big Net companies are embracing perfect forward secrecy, it's far from common. [1]
Despite the worries raised by Heartbleed, Codenomicon said many large consumer sites aren't likely to be affected because of their "conservative choice" of equipment and software. "Ironically, smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most," the security firm said in a blog post. [2]
Adam Langley, a Google security expert who helped close the OpenSSL hole, said his testing didn't reveal information as sensitive as secret keys. "When testing the OpenSSL heartbeat (sic) fix I never got key material from servers, only old connection buffers. (That includes cookies though.)," Langley said on Twitter. [1]


It's not clear what LastPass users should do. Should they change all their passwords or not?
One of the companies affected by the vulnerability was password manager LastPass, but the company upgraded its servers as of 5:47 a.m. PT Tuesday, spokesman Joe Siegrist said. "LastPass is quite unique in that nearly all your data is also encrypted with a key that LastPass servers never get -- so this bug could not have exposed customer's encrypted data," Siegrist added. [5
“LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted – it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern,” the company said in a blog post. [5
“Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised. ” [5]
LastPass has used perfect forward secrecy for the last six months, but is assuming its certificates could have been compromised before that. "This bug has been out there a long time," Siegrist said. "We have to assume our private keys were compromised, and we will be reissuing a certificate today." [1]

How to Detect a Heartbleed

link to tool for testing for heartbleed vulnerability
An online tool, which allows for testing of any server by its hostname for CVE-2014-0160 bug is already in place. [6]  Developer and cryptography consultant Filippo Valsorda published a tool that lets people check Web sites for Heartbleed vulnerability. Valsorda's test uses Heartbleed to detect the words "yellow submarine" in a Web server's memory after an interaction using those words. [1]

What to Do If You Own Servers

How to stop the leak? As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use. [4]
There is no word (yet) on how widely the flaw might have been exploited so far. However, the vulnerable OpenSSL 1.0.1 was released in March 2012. Whoever might have learned about the security flaw in question could have been eavesdropping any TSL/SSL-encrypted communications ever since. This makes the problem a potentially global one: OpenSSL is used by very popular server software such as Apache and nginx. Their combined market share is over 66%, according to Netcraft’s April 2014 Web Server Survey, and they are commonly used by businesses of all sizes. [6
As of today, a number of Nix*-like operating systems are affected too, since they are packaged with vulnerable OpenSSL [6]:
* Debian Wheezy (Stable), OpenSSL 1.0.1e-2+deb7u4)
* Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11)
* CentOS 6.5, OpenSSL 1.0.1e-15)
* Fedora 18, OpenSSL 1.0.1e-4
* OpenBSD 5.3 (OpenSSL 1.0.1c) и 5.4 (OpenSSL 1.0.1c)
* FreeBSD 8.4 (OpenSSL 1.0.1e) и 9.1 (OpenSSL 1.0.1c)
* NetBSD 5.0.2 (OpenSSL 1.0.1e)
* OpenSUSE 12.2 (OpenSSL 1.0.1c) 
Packages with older OpenSSL versions – Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14, SUSE Linux Enterprise Server – are free of this flaw. [6]

Change Your Passwords

The information online is not clear as to whether changing passwords will help. That is to say, it's never a bad idea to change one's passwords, and frequently, in terms of security. However, some are saying that to do so now before your service has upgraded their systems to plug this hole will be a waste of time.
Changing the passwords won't do any good, these experts said, until the affected services install the software released Monday to fix the problem. That puts the onus on the Internet services affected by Heartbleed to alert their users to the potential risks and let them know when the Heartbleed fix has been installed so they can change their passwords. [2]
 "This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr said. "This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug." [2]


This is serious. Very serious. How should you respond? If you manage servers, you need to jump right on it and make sure your systems are covered, either by verifying that they are too old to have been affecting (a rare case of procrastination being a good thing) or not quite new enough, as in needing to have the new patches/upgrades installed.

Otherwise, if you're a "regular person" with online passwords -- and who isn't these days? -- then it's advisable to change all your passwords. But you may want to investigate the various sites/services you subscribe to, because if they have not updated their services to plug the vulnerability to Heartbleed, you may have to change your passwords again when they do.


1. http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/
2. http://abcnews.go.com/Technology/wireStory/passwords-vulnerable-security-flaw-found-23247031
3. http://beforeitsnews.com/business/2014/04/heart-bleed-bug-could-compromise-large-part-of-the-internet-2612796.html
4. http://heartbleed.com/
5. http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309
6. http://business.kaspersky.com/the-heart-is-bleeding-out-a-new-critical-bug-found-in-openssl/

No comments: