TMCnet News
Don't panic: Heartbleed surgery for dummies [ITP.net (United Arab Emirates)](ITP.net (United Arab Emirates) Via Acquire Media NewsEdge) Security is a hard-fought prize in the mobile era. And occasionally those who deal in it and rely upon it are dealt a sucker punch. An honest mistake and two years of oversight led to the name "Heartbleed" being bounced around the Web like the digital End of Days had arrived. As is common in cyber security media, many reports of the flaw in the OpenSSL protocol were characterised by exaggeration and misunderstanding. It was affecting banks, they said; mobile platforms and governments were at risk. Nobody was safe. At ITP.net, our message is: Don't panic. Here we explain what it is, where it came from, how it works, who it affects, and how to protect yourself. When accessing a site where privacy and security are essential and implied the provider needs to ensure that each user session is shielded from eavesdropping. Over the years a number of network techniques have been adopted to try and achieve this, but the ones we are most interested in here are the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. SSL was first developed by Netscape and, simply put, was designed to keep data transmissions private. Imagine a cleverly designed briefcase that is to be hand-delivered. Anyone can lock the briefcase, but only the genuine recipient can open it because the one key that can do so has been delivered to them separately. This is a little like receiving your banking PIN in a separate envelope to your ATM card. Continues on next page>> This public-private key (PPK) system enshrined in SSL went through several version changes over the years and hit its share of security bumps, but today it is widely trusted and used in a number of applications including Web browsing, email, instant messaging, and voice-over-IP (VoIP) systems. TLS is largely an upgrade of SSL 3.0 and exposes the same basic functionality. Another important function of TLS is a handshake system that establishes a transaction session between an end-point client (PC, tablet, smartphone, etc.) and a host server. The TLS protocol dictates that the client request a session to be conducted using SSL. After a digital "contract" is in place, the business at hand can begin. OpenSSL is an open-source implementation of the "best bits" from SSL and TLS. In case you don't know, open-source essentially means "built by committee". Software developers are free to tinker with, extend and enhance open-source code libraries. In OpenSSL the TLS handshake is referred to as a heartbeat and occurs at regular intervals so that client and server are updated on the status of the session. This means ports can be closed and connections severed, preventing misuse by Internet miscreants. It is in this heartbeat function that the Heartbleed flaw lies. While deploying the feature on 19 April, 2012 (bringing Open SSL to version 1.0.1), Dr Robin Seggelmann, a German coder and regular OpenSSL contributor, accidentally included the bug, and it works like this. When a client machine asks the server to confirm the connection is still open during an OpenSSL session, the server responds with just enough information to say "yes". But the flaw allows the client to send a trick heartbeat request and fool the server into not just saying "yes", but delivering the contents of memory spaces adjacent to where the OpenSSL session is held. Continues on next page>> It is somewhat like being asked: "Do you know the time?" and instead of simply saying "yes", which is a strictly sufficient answer to the question, you blurt out: "Yes, it's 3.17pm and 22 seconds on 23 January 2012 and I've just had my lunch - a chicken sandwich and some apple juice... and it was delicious." Too much information is a digital faux-pas and the consequences can be potentially dire. Because the heartbeat conversation is session-specific, this leads to other problems. The server only consults its main memory (RAM) to give the requested information. Heartbleed means that the client machine can get access up to 65.5 kilobytes of data beyond the memory space dedicated to the OpenSSL session, and because RAM recycles memory space, there could be all kinds of treasures in that area. What if that extra content were credit card numbers, passwords or session cookies? So how does this affect you? Well, the number of servers affected appears to have been over-estimated. Initially some reports suggested 60% of all servers had the flaw. Now, some figures are settling at under 20%. Remember, not everybody uses OpenSSL and those that do are only affected if they are running version 1.0.1. A new version (1.0.1g) patches the flaw and earlier versions are also Heartbleed-free. Those that are operating on OpenSSL 1.0.1 are working to introduce fixes. Blackberry was keen to point out that the majority of its products were devoid of OpenSSL, but it is working to introduce patches for BBM on iOS and Android. Regionally, spokespeople from online retailers JadoPado and Namshi have confirmed they were using 1.0.1, but have since patched to the latest version. Continues on next page>> Perhaps the most insidious aspect of Heartbleed is that information could have been leaked from affected servers without anyone knowing. Application and Web server logs do not record the low-end activity of RAM, which is why it is being widely reported that Heartbleed allows hackers to steal information without leaving a trace. This also explains the absence of any media reports where organisations are confirming stolen data, but be suspicious of any enterprise that admits to using OpenSSL 1.0.1 and also claims categorically that no breach has occurred. Such claims suggest a lack of understanding of Heartbleed. Anonymous data theft is honey to hackers and in fact, in the case of Heartbleed, no "hack" is necessary. Malicious actors merely compromise an encrypted session and nonchalantly stroll away with a random chunk of data that may or may not be useful. No firewall has been breached; no network has been compromised. Or if you like: the knave has not scaled the city walls, but an over-chatty portcullis guard might have directed him to a secret door. As an end user the solution to Heartbleed could not be simpler: change your passwords. When doing so, make sure to apply best practice. ITP's advice on the subject can be found here. So, don't panic. Passwords and patches will relegate Heartbleed to history and while the open-source community may need to apply some damage control, the passion surrounding collaborative development is too strong to put much of a dent in its momentum. (c) 2014 ITP Business Publishing Ltd. All Rights Reserved. Provided by Syndigate.info, an Albawaba.com company |