Every day you use encryption technology to protect your data, your applications and online services . Most of the time most people are blissfully unaware it is even happening. Whether you are a consumer accessing your Internet bank site, using a mobile application to log in and share data or trading online most of our use of modern technology involves this key capability and without it trust on the Internet is significant undermined. A new bug, again, puts trust on the Internet at risk on a significant scale. The bug, dubbed ‘heartbleed’ is based on a fault in functionality in the widely usedOpenSSL library. It was originally discovered by Neel Mehta of Google GOOG +1.65% Security. This library is extremely widely used from security vendors products to secure web browsing (when you log in to a site and see https://) and even mobile banking applications. The Apache web serverwhich powers a substantial part of the Internet tends towards using OpenSSL. You may be using it at your business right now and many popular services likeYahoo YHOO +3.07% have been shown to be vulnerable (see the image below). UPDATE Yahoo is no longer vulnerable to the attack, but there may have been significant data leaked for the extended period where they were running the vulnerable software.
So what exactly does this bug do and why should you care? There are numerous technical write ups (with excellent detail, one of my favourites being this one) but for the rest of the Internet community the problem is as follows. When the bug is exploited the attacker can retrieve memory (up to 64kb) from the remote system. This memory may contain usernames, passwords, keys or other useful information that enables bigger attacks. An attacker may for example be able to retrieve the keys and secrets used to encrypt traffic and then intercept and read the communications of all other users of that service. There are all kinds of variations that might be possible based on the ability to read this memory. 64kb may not seem like a great deal of data, but of course the attacker can connect repeatedly and progressively collect more information. This is a serious problem indeed. If you want more detail you can review Paul Ducklin’s excellent outline at Naked Security. If you want to mitigate the issue on your systems skip to the end of the article. Consumers should assume that their usernames, passwords or secrets may have been leaked and take steps to re-set their passwords once the provider has patched. In this case it is very difficult, if not impossible, to retrospectively identify if someone attacked your systems so it is better to assume compromise, re-set your credentials and play it safe. There are some services which allow you to check if a service is patched but in some cases, such as with mobile app implementations it is not simple. Providers should act responsibly and let their consumers know when it is safe to make the change.
There has already been a flurry of reporting and panic over the issue (see #heartbleed). The defect has been in the code for over 2 years and many are surprised that the bug has only just been found now, particularly as the OpenSSL code is open source and has been reviewed by quite a substantial number of people. This speaks to the challenge of writing secure software and bug hunting, but also perhaps highlights that there should be more systematic review of software which is so critical to all of our security and trust online.
This is certainly not the first defect of this sort in recent times that has undermined the fundamental trust system of the Internet and it is very unlikely to be the last. Unfortunately when these faults are found people do not typically react quickly and apply the fixes leaving substantial opportunities for attackers. Most users browse the web and use apps with little consideration for how trust and security works on the Internet. There have been a large string of problems with SSL (which provides the secure connection you use to connect to your bank or other services, often indicated with ‘https://’) ranging from software defects to policy and security issues with the certificate authorities (of which there are a very large number). There have been instances of attackers getting their hands on certificates that let them pose as Facebook, Facebook or even banks. When you actually analyse the technology and processes that deliver trust on the Internet it is surprisingly fragile. That said, whilst this particular attack is a flaw in the technology in many cases, it is businesses tardiness with patching or failure to make the right configuration choices that is the larger issue.
What should you do to protect your services?
- Check whether your website, apps or any products use OpenSSL and whether they are vulnerable to the attack. There is a neat site at http://filippo.io/Heartbleed/ where you can quickly run the check.
- Regenerate any private keys that your site uses once you have patched. Your keys may have been leaked whilst un-patched and would allow an attacker to continue intercepting traffic even after the patch. This is a critical step post patching. Jake Williams (@MalwareJake) is doing a webcast with the SANS institute, you can find more information here.
- Update OpenSSL to the latest version which fixes the defect – this is not an automatic process in many cases. See the advisory here. You need version 1.0.1g or above.
- Check the state of the your SSL configuration for your website and mail services. You can use this SSL checker and CheckTLS for mail servers. This bug is the least of your worries if you are using the technology badly in the first place.
- Take a look at the more technical Q&A at http://heartbleed.com/ if you have further questions about the bug or how to remediate it.
KOMPAS.com — Sebuah celah keamanan yang disebut sebagai “heartbleed” ditemukan pada protokol OpenSSL. Sebagian penyedia layanan web yang memakai OpenSSL untuk enkripsi harus menyalurkan patch untuk menangkal kerawanan yang timbul.
Dengan mengeksploitasi celah heartbleed pada OpenSSL, hacker bisa mencuri informasi meskipun sebuah situs atau penyedia layanan sudah melakukan enkripsi (ditandai dengan gambar “gembok” dan prefiks “https:” pada URL).
Masalahnya menjadi besar karena OpenSSL digunakan oleh 66 persen dari seluruh bagianweb internet untuk mengenkripsi data sehingga celah keamanan tersebar luas. Nama-nama besar, antara lain Gmail, Facebook, dan Yahoo, ikut terpengaruh.
Dari sisi pengguna, tak ada yang bisa dilakukan untuk mengatasi bug ini kecuali menunggu penyedia layanan bersangkutan agar menambal celah heartbleed (heartbeat), lalu mengganti password untuk berjaga-jaga apabila kata kunci yang lama telah bocor.
Nah, berikut ini daftar beberapa layanan populer yang diketahui memiliki/tidak memiliki celah keamanan heartbeat, sebagaimana dirangkum oleh Mashable.
Daftar lengkap nama layanan yang terkena dampak heartbleed bisa dilihat dalam sebuah daftar yang dibuat pada 8 April. Semenjak daftar tersebut dipublikasikan, beberapa penyedia layanan telah menyalurkan patch untuk menambal celah keamanan yang ada.
|Nama situs||Apakah terdampakheartbeat?||Apakah sudah adapatch?||Haruskah menggantipassword?|
|Belum diketahui||Belum diketahui||Belum diketahui|
|Apple||Belum diketahui||Belum diketahui||Belum diketahui|
|Ebay||Belum diketahui||Belum diketahui||Belum diketahui|