The Inquirer-Home

Heartbleed victims start to come forward

Updated Someone’s had a go at mums and the taxman
Tue Apr 15 2014, 10:30

heartbleed bug TWO ORGANISATIONS have come forward and admitted that their systems were exploited by the Heartbleed bug.

The outfits, mothers' website Mumsnet and tax portal the Canada Revenue Agency have both admitted to patches and problems, and both stand as the first recognisable victims of the OpenSSL Heartbleed vulnerability.

Each has posted up notes on their respective websites and both said that their websites were attacked. While one will affect passwords and logins on a mostly discussion website, the other, a tax outfit, could have worse ramifications.

"Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," said the Canada Revenue Agency.

"We are currently going through the painstaking process of analysing other fragments of data, some that may relate to businesses, that were also removed."

Meanwhile, the US National Security Agency (NSA) has said that the infamous Heartbleed vulnerability was news to it, and added that it has not exploited it.

This is contrary to a report at Bloomberg that claimed that the NSA has been exploiting it for years.

Two sources told the newspaper that the NSA has been using Heartbleed for at least two years, and have used it to dig up and retain individual's information.

The NSA had already denied pre-knowledge of the vulnerability, and denied it again following the Bloomberg report.

On Twitter it issued a categorical denial, and issued it very quickly on the heels of publication.

In a statement released by the IC on the Record Tumblr, a spokesperson for US government backed this up, saying that the authorities only learned of the Heartbleed bug in April, when the problem was reported.

"The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," it said in a statement.

"When Federal agencies discover a new vulnerability in commercial and open source software - a so-called 'Zero day' vulnerability because the developers of the vulnerable software have had zero days to fix it - it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."

There seems to be a divide between organisations and outfits with pre-notice and those without.

According to security response coordination outfit ICS-CERT, Heartbleed attacks are happening already. However, it did not say where or whether they were successful.

"ICS-CERT is aware of reports of attempted exploitation and is in the process of confirming these reports," it said. "ICS-CERT continues to monitor the situation closely and encourages entities to report any and all incidents regarding this vulnerability to DHS (the US Department of Homeland Security)."

Last week the man who let the SSL Heartbleed vulnerability - discussed in the video below - loose in the world revealed that it was "an oversight".

There should have been some clues perhaps. The code, which was supposed to enable the SSL heartbeat function, a good thing, was submitted just before midnight on New Years Eve, a time when many people are under the influence of alcohol.

That was probably not the case here, but there was definitely an oversight, and Robin Seggelmann, a programmer based in Germany, unleashed a severe SSL vulnerability in those last minutes of 2011.

He told the Guardian that the New Years celebrations had nothing to do with Heartbleed, and that it is just timing that gave the code a New Years Eve entry.

"The code... was the work of several weeks. It's only a coincidence that it was submitted during the holiday season," he said.

"I am responsible for the error, because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version."

Heartbleed sent panic across the internet and caused many companies to tell their users to change their passwords. A raft of firms have admitted that they are patching their systems, and researchers have already shown how easy it is to discover Yahoo usernames and passwords.

Seggelmann accepted his lot, but would not hear anything bad said about open source. He disputed a claim that the openness of open source was to blame, saying that the heartbeat function is new and niche and that SSL is underloved and under-supported.

"I don't see it as a failure of open source. On the contrary, the publicly accessible code made it possible that the error has been discovered and published. I can only assume that it took so long because it's in a new feature which is not widely used and not a conceptual, but a simple programming error," he said.

"OpenSSL is definitely under-resourced for its wide distribution. It has millions of users but only very few actually contribute to the project."

Heartbleed continues to draw panicked looks, and a number of firms are recommending workarounds, patches and fixes in mitigation efforts.

Google has taken on the bleeding hearts on a security blog post where it told its users that it is in the process of shoring up its consumer and business facing cloud services.

"We've assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine," it said.

"Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this - and encourage others to report them - so that we can fix software flaws before they are exploited."

Amazon has been through its Amazon Web Services (AWS) and it too said that all is well, everything has been fixed and no one needs to panic.

Facebook suggested that this was old news to it, old news that it patched some undisclosed time ago. "We added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed, and we're continuing to monitor the situation closely," said a spokesman.

Microsoft told The INQUIRER that it has taken a look at its services and has nothing much to report. "Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows' implementation of SSL/TLS was also not impacted," said a spokesman. "A few Services continue to be reviewed and updated with further protections."

Not all websites are vulnerable, and some like Twitter and Linkedin have done their due diligence and reported that their users are fine to carry on. Also fine are Paypal and eBay, while Dropbox has also revealed that it has patched its software.

Twitter said on its status pages that it is as clean as a whistle. "We were able to determine that and servers were not affected by this vulnerability," it said.

Yahoo, whose users were cited in the Heartbleed evidence, has reacted in a few ways. Tumblr, its blogging thing, suggested that people take the day off work and spend it changing all of their passwords. If all of the security companies did that we would all be in trouble.

"Bad news. A major vulnerability, known as 'Heartbleed', has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr. We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue," said Tumblr.

"This might be a good day to call in sick and take some time to change your passwords everywhere - especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."

The Heartbleed bug was discovered in a software library used in servers, operating systems and email and instant messaging systems and allows anyone to read the memory of systems using vulnerable versions of OpenSSL software.

OpenSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols by which email, instant messaging, and some VPNs are kept secure.

The vulnerability is called Heartbleed because it's in the OpenSSL implementation of the TLS/DTLS heartbeat extension described in RFC6520, and when it is exploited it can lead to leaks of memory contents from the server to the client and from the client to the server.

The researchers from defense security firm Codenomicon said that attackers could take advantage of the bug to eavesdrop on communications, steal data directly from server or client systems, and impersonate users and servers.

"This compromises the secret keys used to identify service providers and to encrypt the traffic, the names and passwords of the users and the actual content," the researchers wrote on a website dedicated to the bug.

"Without using any privileged information or credentials, we were able to steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

Because such attacks are not traceable, it's not clear how widespread the bug is or was, but it is thought that at least two-thirds of websites could be affected, as the most notable software using OpenSSL are the open source webservers Apache and nginx.

The researchers pointed out that the combined market share of those two webservers was over 66 percent of the active websites on the internet, according to Netcraft's Web Server Survey released this month.

"You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet," the researchers added.

"Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services."

Although an updated version of OpenSSL has been released to patch this security vulnerability, it might take time before some operating system developers and software distributions deploy it.

"Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys," the researchers said. "Even doing all this will still leave any traffic intercepted by the attacker in the past vulnerable to decryption."

Security expert Bruce Schneier released a statement highlighting how "catastrophic" Heartbleed is, and warned that as well as updating, users should change their passwords for websites affected by it. 

He said, "'Catastrophic' is the right word. On the scale of 1 to 10, this is an 11.

"After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected." µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015