Tuesday, April 29, 2014

The power of notoriety

Heartbleed and you
If you don't see this, you're using an old version of IE. Read "If you really want to keep your Windows XP." (April 2014)

Just after I posted my item on The Second Factor (1), I saw a syndicated story under the heading of “Double-layer passwords offer additional protection online.” It started out “If the Heartbleed security threat teaches us anything, it’s that passwords don’t offer total protection.” (2)

While that was a good article on why and how multi-factor authentication is valuable, its reference to Heartbleed was as valid a lead as a picture of a scantily-clad model.

Don’t get me wrong. Both topics are important considerations for your security online. But I haven’t seen any clear lay explanation as to the risk and impact of Heartbleed on the ordinary user.

First the technical details. Heartbleed was a flaw in OpenSSL, a component of certain webservers, from 2012 until April 9, 2014. Depending on whom you listen to, this flaw could have affected between 66% and 17% of all websites on the internet. I’m inclined to lean toward the lower number.(*) But this is still serious since the count is of sites, which included the likes of Google and Yahoo.

Due to the high risk from the flaw, OpenSSL team had issued a patch within 72 hours of being notified and less time from any broad awareness. Most of the larger secure sites implemented the patch immediately. In fact, I first became aware of the flaw when I started getting notices from my banks that they either were never vulnerable, or had already patched their system.

What does Heartbleed do? The flaw allows a hacker to induce the server to send him the contents of a small portion (64 kilobytes) of its memory (remember that a webserver will have 8-64 gigabytes of memory). The affected memory would contain random bits of the server’s recent activity.

This memory could be the contents of its own webpages which anyone could view. It could be the computer language instructions to manage the website. It could also be bits of the conversation between your browser and the server that establishes your secure connection in advance of telling your bank to pay a bill.

All the hacker has to do is get the same server to send him a few thousand 64 KB downloads. Then he has to scan through the mostly binary data for the flecks of gold that are recognizable. Once found, he has to refine those flecks into real knowledge that he can exploit for value. (If that sounds tedious, all of the tasks can be automated.)

What is the risk to you? It’s possible those flecks of gold may include your account name and password. But if the hacker’s goal is passwords, that’s an inefficient way to get them. Every week credentials are being stolen in million-account lots through other security lapses and flaws.

A far more valuable nugget to look for is the webserver’s master key to all its SSL/TLS communications. If a hacker has this, he can create a fake website that your browser will accept as authentic. Then he can execute a perfect phishing or man-in-the-middle attack against any visitor to his bogus site. He can also decrypt previous “secure” traffic to most sites. Of course, the latter two attacks require the hacker either be in the middle or have access to previously recorded internet traffic.

What should you do? Unfortunately, because of how the flaw works, there is no way to know that a specific site has, or has not, been hacked. If your partner has advised you that they have eliminated any risk from this flaw, you should change your password for that site. Take this opportunity to use a strong and unique password for each of your high value web accounts. If available, you might enable 2-factor sign-on to reduce the possibility of an account being hijacked.

Once a site has been patched, they should have received a new SSL certificate and revoked their old, compromised certificate. Unfortunately, as of this writing, there is no reliable way to ensure you know that you aren’t accepting a stolen certificate. Some browsers, maybe with some deep settings, will warn you that a certificate has been revoked. There is one site that will test whether your browser properly recognizes a revoked certificate. There is one known website that can actually serve you a revoked certificate. If you go to http://revoked.grc.com(3), you should receive an error. If your browsers test good and give you the error, you can read more about revocation at(4).

There’s more at risk than just websites. Although I have not seen an authoritative list, SSL is by far the dominant method of protecting electronic communication on the internet. Potentially vulnerable services run the gamut from a sophisticated private VPN to the heavily consumer cloud storage services. They could also include the likes of email, chat and VoIP, or routers for both home use and controlling the internet.

Unfortunately, many of these services are either embedded deeply into the technology or are never managed again after the original configuration. They will be patched slowly or not at all.

Fortunately, as the variety of programs for exploit increases, the number of clients shrinks. If the host in a peer-to-peer network serving two nodes is invaded, it could be devastating for those two, but will not affect anyone else.

Like the number of potentially vulnerable webservers, many of these services are not at risk from Heartbleed because their communications are not encrypted in the first place. Your chat, email, and cloud backups have been coursing through the internet as plain text; easily readable by anyone with a tap on the line – and I don’t mean just governments.

Bill Barnes with Dewey Williams, PCCC

(*) The reported risk to 66% of all websites refers to the number of websites that are running webservers that might use OpenSSL. These are primarily the programs Apache and nginx.
This number has to be reduced by the large number of websites that don’t even offer SSL. Again subtract the number what did not install the affected versions of OpenSSL and you get a much lower percentage of the Web. However, with worldwide web sites numbering in the 9 digits (decimal); whether the affected percentage is 30% or 10%, it’s still a huge number. (5)

Blog post “The Second Factor”. http://fromthehelpdesk.blogspot.com/2014/04/the-second-factor.html
(2) AP article “Double-layer passwords …” read in The Charlotte Observer. http://www.charlotteobserver.com/2014/04/26/4865676/tech-tips-double-layer-passwords.html#storylink=cpy
(3) Test website for a revoked certificate. http://revoked.grc.com
(4) Explanation of revoked certificates. https://www.grc.com/revocation.htm (also on podcasts referenced below)
(5) The number of websites truly at risk. http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html.

More references
An early announcement on Heartbleed. http://pc3.org/heartbleed-bug-affects-60-of-secure-internet-servers/
Text and podcasts on Heartbleed. https://grc.com/sn

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(cc) 2014- Bill Barnes - Disclaimer - Home Page - Blogs Home

No comments: