Internet sites scramble to patch ‘Heartbleed’ bug, reassure users
As word spread this week about the dreaded “Heartbleed” bug, consumers and Websites struggled to understand the implications and sort through some of the more apocalyptic pronouncements being made about the problem.
Consumers started to receive a trickle of notices from services they use online alerting them to potential issues and recommended steps, such as changing passwords. But given the scope of the issue, security experts projected that it could take years to sew up all the holes created by the Heartbleed bug.
“This is one of the worst security issues we’ve seen in the last decade and will remain within the top 5 for many years to come,” said Adam Ely, founder and chief operating officer of Bluebox Security.
Added Jeff Forristal, Bluebox chief technical officer: “OpenSSL is extremely pervasive on all manners of devices, systems and servers. It is going to take the ecosystem significant time to get everything updated, and we will be looking at a long tail situation that could easily extend into years.”
OpenSSL is a technology used to provide encryption of an estimated 66% of all servers on the public Internet. It’s an open source code that is developed and maintained by a community of developers, rather than by a single company.
The “Heartbleed” bug was discovered separately last week by Neel Mehta, a security researcher at Google, and a team of security engineers at Codenomicon, a security website that has since created a website with information about Heartbleed.
It appears the bug was introduced into OpenSSL by a simple programming mistake that then got pushed out as websites around the world updated the version of OpenSSL they were running.
An updated version of OpenSSL has been issued, and sites can use that to fix the bug. In addition to updating OpenSSL, sites will need to update many pieces of their security protocols known as keys and certificates that help them confirm the identity of users.
“We do not have any evidence that passwords or any other private information has been compromised,” the company said. “However, given that this exploit existed in the wild for such a long time, it is possible that an attacker could have stolen passwords without our knowledge. As a result, we recommend that all Firebase users change the passwords on their accounts.”
SoundCloud also alerted users that it had made the necessary changes and that they had all been logged out.
“When you sign back in, the fixes we’ve already put in place will take effect,” the company said on its blog. “You should also change your password. We are not aware of any exploitation of this vulnerability on SoundCloud.”
Security experts suggest users find out whether a service has updated its OpenSSL version and made the necessary security changes before changing their password. Otherwise, it’s possible that a hacker may just grab the new password.
“To be sure that attackers won’t be able to use compromised data, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library, said Jaime Blasco, labs director for AlienVault.
The revelation of the bug has alarms ringing across the Web because OpenSSL had become so widely adopted.
“No doubt, the bug is a serious concern,” said Andrew Storms, director of DevOps at CloudPassage. “OpenSSL is the de facto standard for implementing encryption in just about every open-source application and even many commercial software products. Every time security-related problems are discovered in OpenSSL, huge swaths of Internet services require an update and a reboot. The fact that the bug has been in the OpenSSL code train since December of 2011 just increases the likelihood that the list of affected systems is staggering.”
What’s making the security community so nervous is just how little is known about how widely the vulnerability has been exploited to get personal and commercial information.
“This is an excellent example of vulnerabilities that exist within encryption products just waiting to be discovered,” said Lucas Zaichkowsky, enterprise defense architect for AccessData. “This particular programming error was introduced in December 2011 with OpenSSL version 1.0.1. Criminals could have been using it. Intelligence agencies like the NSA could have been exploiting it. It’s hard to say what those organizations have in their arsenal, being used quietly.”
The bug is also raising questions about the wisdom of relying on such a single standard.
“Having common technology is typically viewed as a good thing. But it can also lead to assumptions,” said Jonathan Sander, vice president of research and technology for STEALTHbits Technologies. “People assume the parts they use are safe if everyone uses them. If deep testing isn’t being done by the good guys to make sure those parts stay safe over time, then you can be sure the bad guys will find the faults first.”
Added Mark Bower, vice president of product management and solution architecture for Voltage Security:
“Security vulnerabilities will always exist, and provide the ideal beachhead for attackers to establish the data-stealing malware infantry front line. In this case, Heartbleed’s significant data theft risk also emphasizes the need to take a different approach to data protection above and beyond SSL.”
It’s also led to a debate about the reliability of open-sourced security tools.
“This is really serious and a big blow to the credibility of open source,” said Phil Lieberman, president of Lieberman Software in Los Angeles. “This is very bad, and the consequences are very scary now that it has been disclosed. The fact that this code is on home- and commercial Internet-connected devices on a global scale means that the Internet is a different place today.”
Your guide to our new economic reality.
Get our free business newsletter for insights and tips for getting by.
You may occasionally receive promotional content from the Los Angeles Times.