Hacking

SPOTLIGHT ON SECURITY

Heartbleed Threat Won’t Fade Away

This week marks the first anniversary of the Heartbleed vulnerability that caused a panic across the Internet last year. While the flaw appears to have faded from the recollections of Net denizens, it still poses danger at many sites in cyberspace.

Heartbleed was discovered in April 2014 in an open source library, OpenSSL, used by the SSL protocol. SSL is used to encrypt data in transit on the Net. By exploiting the flaw with a specially crafted packet, hackers could extract data from a server’s memory in 64K chunks.

The vulnerability got its name from the “heartbeat” servers send out at short intervals to let other servers on the Net know that they’re alive and well. However, by exploiting a bug in the heartbeat function, an attacker can get the heartbeat to bleed more information than just “I’m alive” — information such as passwords, credit card data, Social Security numbers and anything else hanging around in memory at the time of the attack.

Despite grabbing lots of attention when it was first discovered, Heartbleed seems to have fallen victim to short-attention-span syndrome. Eighty-six percent of Americans said they’d never heard of Heartbleed in a March poll of 2,000 U.S. adults conducted by the Harris organization for Dashlane.

“There was a lot of coverage at the time, so it was hard not to hear about it,” Dashlane CEO Emmanuel Schalit told TechNewsWorld. “People just seem to have forgotten it.”

Not Bled Out Yet

That kind of memory lapse could prove dangerous to consumers, as many servers remain vulnerable to Heartbleed attacks. Eighty-four percent of the external servers of Global 2000 organizations remain vulnerable to cyberattacks due to Heartbleed, suggests a survey Venafi Labs released this week.

“Folks did a really great job of patching after Heartbleed was discovered,” said Kevin Bocek, vice president for security strategy and threat intelligence at Venafi.

However, Heartbleed also put at risk the certificates and the encryption keys used to sign those certificates. The quick and dirty solution to that problem was to reissue certificates for a website.

“The problem with Heartbleed was that you have to assume that the key itself was compromised,” Bocek told TechNewsWorld. “If you don’t change the key, you’re not fixing the problem, because an attacker can use the key to spoof a site or perform a man-in-the-middle attack.”

Long Tail of Death

The problem can be worse for larger organizations.

“It’s a very simple equation,” Bocek noted. “The more servers that were vulnerable, the more keys and certificates you have, the less time, effort and capability you have to fix it.”

As applications, virtual machines and servers are replaced, new keys will be created, so Heartbleed will bleed out in the long term — “but that could take years,” Bocek said. “It’ll be a long tail of death.”

Meanwhile, consumers — who may need their memories refreshed — need to take precautions should they run into a website compromised by Heartbleed.

“The only real thing the consumer can do is limit the risk by protecting personal digital information that sits in the cloud,” said Dashlane’s Schalit.

“The only thing under the consumer’s control to do that is having a unique password on every website,” he said. “At least then if one password is stolen, it doesn’t spread to other accounts and other websites.”

Bigger Problem

Heartbleed is a symptom of a larger problem, though, and that’s the dependence of the infrastructure of the Internet on under-resourced open source projects.

“About 66 percent of all servers connected to the Internet use some version of the OpenSSL library, but virtually no one is maintaining it,” said Pavel Krcma, CTO of Sticky Password.

“There can be problems hidden in these libraries for years, just because there are so few people taking care of these critical libraries,” he told TechNewsWorld.

“More companies have to invest in developing and testing OpenSSL,” added Krcma. “They need to share some of the money they make on products built on it.”

Breach Diary

  • March 30. British Airways confirms a number of its executive club frequent flyer accounts have been compromised by hackers. The data thieves apparenty obtained a database of user names and passwords from somewhere on the Internet and used them to mount the attack.
  • March 30. Bradley University in Peoria, Illinois, reveals personal information of some 4,700 current and former employees is at risk after malware discovered on school’s computer systems.
  • March 30. Uber denies its computer systems breached and user names and passwords stolen. Company was reacting to reports that thousands of its users’ credentials were being sold on the Internet underground.
  • March 31. Neustar survey of 250 IT pros in Europe, the Middle East and Africa finds DDoS attacks could expose 40 percent of businesses to losses of US$150,000 an hour at peak times.
  • March 31. Operators of GitHub, one the largest repositories for programming code on the Internet, say Distributed Denial of Service attack, which lasted five days, has subsided. Some security experts attributed the attack to state-sponsored Chinese hackers.
  • March 31. Google and University of California at Berkeley study finds that 5 percent of people visiting Google sites are infected with ad injectors. About a third of the injectors, the study said, could be classified as malware.
  • April 2. President Barack Obama issues executive order establishing framework for imposing sanctions on anyone engaged in malicious cyberactivity that aims to harm critical infrastructure, damage computer systems, and steal trade secrets or sensitive information.
  • April 2. U.S. District Judge Beth Labson Freeman rejects motion by Google to dismiss lawsuit alleging company violated the privacy of its Wallet users by sharing their personal information with outside developers.
  • April 2. U.S. Veterans Administration office in Denver says personal informaton of 508 patients compromised in document leaked to local TV station.

Upcoming Security Events

  • April 9. How Many of Your Digital Assets Are Currently Unmanaged? 2 p.m. ET. RiskIQ webinar. Free with registration.
  • April 11. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
  • April 11-12. B-Sides Charm. Howard Community College, Gateway Building, Charles I. Ecker Business Training Center, 6751 Columbia Gateway Drive, Columbia, Maryland. Fee: TBD.
  • April 11-12. B-Sides Orlando. University of Central Florida, 4000 Central Florida Blvd., Orlando, Florida. Fee: $20.
  • April 15. Secure Government: Manage, Mitigate, Mobilize. Symantec Government Symposium, Walter E. Washington Convention Center, Washington, D.C. Registration: government, free; non-government, $295.
  • April 16. Enterprise Defense and Why You’re Most Likely Doing It All Wrong. 2 p.m. ET. Black Hat webcast. Free with registration.
  • April 17-18. B-Sides Algiers. Ecole Nationale Suprieure d’Informatique, Oued Smar, Algiers, Algeria. Free.
  • April 18. B-Sides Oklahoma. Hard Rock Casino, 777 W. Cherokee St., Catoosa, Oklahoma. Free.
  • April 19-20. B-Sides San Francisco. 135 Bluxome St., San Francisco. Registration: $20, plus $2.09 fee.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.
  • April 25. B-Sides Rochester. German House, 315 Gregory St., Rochester, New York. Free.
  • April 29. Best Practices for DDos Protection. 9 a.m. ET. Arbor Networks webinar. Free with registration.
  • April 29. SDN and NFV: Protecting the Next Wave Infrastructure. 11 a.m. ET. Arbor Networks webinar. Free with registration.
  • April 29. Dark Reading’s Security Crash Course. Mandalay Bay Convention Center. Las Vegas, Nevada. Registration: through March 20, $899; March 21-April 24, $999; April 25-29, $1,099.
  • May 6-7. Suits and Spooks London. techUK, 10 Saint Bride St., London. Registration: government/military, $305; members, $486; industry, $571.
  • May 2. B-Sides San Antonio. Texas A&M, Brooks City Base, San Antonio, Texas. Fee: $10.
  • May 9. B-Sides Boston. Microsoft 1 Cambridge Center, Cambridge, Massachusetts. Fee: $20.
  • May 13. SecureWorld Houston. Norris Conference Center, Houston, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • June 8-10. SIA Government summit 2015. W Hotel, Washington, D.C. Meeting Fees: members, $595; nonmember, $795.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.
  • June 16-17. Black Hat Mobile Security Summit. ExCel London, London, UK. Registration: before April 11, Pounds 400; before June 16, Pounds 500; after June 15, pounds 600.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1795; before July 25, $2195; after July 24, $2595.
  • Sept. 28-Oct. 01. ASIS 2015. Anaheim Convention Center, Anaheim, California. Registration: through May 31 — member, $895; nonmember, $1,150; government, $945; student, $300; June 1-Aug. 31 — $995, $1,250, $1,045, $350; Sept. 1-Oct. 1 — $1,095, $1,350, $1,145, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels