Over a week since the Heartbleed bug was revealed to the world millions of web users are still at risk of serious identity thefts. This week it was announced that up to 50 million Android smartphones were vulnerable, while Heartbleed-enabled hacks hit U.K. parenting site Mumsnet, and the Canadian tax authority.
Heartbleed is a loophole in the popular OpenSSL cryptographic software library. It potentially allows anyone to obtain sensitive data such as passwords or bank details. In the case of the Canadian tax authority, for example, over 900 social insurance numbers have been stolen. It was originally thought the bug would not be easy to exploit.
But a challenge set by web security firm CloudFare – to see if someone could steal its security certificate and send a message proving it – was cracked in just three hours by a software engineer named Fedor Indutny. “It was just a fun way of spending Friday evening time,” he told the Washington Post.
In further controversy, it was speculated on Saturday that the National Security Agency (NSA), the U.S. intelligence outfit, has known of Heartbleed’s existence for two years. After first declining to comment the NSA rebuked the claim: “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” read an email from the Office of the Director of National Intelligence.
Heartbleed appears to be one of the Internet’s greatest ever faults, and is thought to affect over two thirds of the entire web. Most websites have rushed to urge users to change their passwords. But with the security certificates those passwords use compromised, experts warn that may not be enough to prevent losses.
“Fundamentally, this vulnerability represents an existential threat to the Internet,” says Darien Kindlund, director of threat research at FireEye. “Heartbleed will be a true test of our entire worldwide public key infrastructure (PKI), because not only will affected systems need to be patched, but also every patched system’s key material will have to be revoked and reissued on a massive scale.
“Because it is unknown how long this exploit may have been used prior to the fix,” adds Kindlund, “organizations are encouraged to revoke previous certificates and establish new certificates to re-establish trust that only authorized users have the appropriate certificates. Those organizations who fail to change their key material will be vulnerable for years after the underlying has been fixed.
“The bug is in a very widespread web application, that is responsible for secure connections. From this point it is a big deal,” adds Gabor Szappanos, an expert at security software developer Sophos. “How easy it is to exploit? At first it seemed that in practice it cannot be abused easily, the secret keys are extractable only in a short period of time after the server reboot. But the Cloudfare security challenge proved that it is possible to exploit it in practice.
“A bigger problem is that all the information is out now,” adds Szappanos. “The Metasploit Framework already contains a module to exploit this vulnerability. The Cloudfare test publicly proved that it can be feasibly exploited. I expect a wave of attack on the vulnerable servers starting now. And given that it is a bit of pain to patch servers and regenerate the secret keys, I think that a significant amount of vulnerable servers will be out there in the upcoming months.”