TMCnet News
Fixing the bug, there's the rub How to reduce the threat of Heartbleed [Cape Argus (South Africa)](Cape Argus (South Africa) Via Acquire Media NewsEdge) Efforts to fix the notorious Heartbleed bug threaten to cause major disruptions to the internet over the next several weeks as companies scramble to repair encryption |systems on hundreds of thousands of websites at the same time, |security experts say. Estimates of the severity of the bug's damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake websites that mimic legitimate ones to trick consumers into handing over personal information. The sheer scale of the work required to fix this aspect of the bug - which makes it possible to steal the "security certificates" that verify that a website is authentic - could overwhelm the systems designed to keep the internet trustworthy. "Imagine if we found out all at once that all the doors everybody uses are all vulnerable - they can all get broken into," said Jason Healey, a cyber security scholar at the |Washington-based Atlantic |Council. "The kinds of bad things it enables is largely limited only by the imagination of the bad guys." The Heartbleed bug put many consumers' user names and passwords at risk. Undetected for two years, the bug quietly undermined the basic security of the internet by leaving a gap in OpenSSL, an encryption technology used |widely by businesses to protect |sensitive data. By some estimates, the bug affected as much as two-thirds of the internet; the flaw prompted thousands of web users to change their passwords on Google, Yahoo, Facebook and other major services. No examples have surfaced of anyone actually exploiting the |vulnerability. But last week, web services company CloudFlare issued an open challenge to hackers to see if Heartbleed could be used to do something really dangerous - steal the security certificates that prove Google, for instance, is really Google. CloudFlare's initial tests |suggested it was probably |impossible for an attacker to steal a site's security certificate and lure |visitors to a duplicate that looked and behaved like the real version. For the challenge, CloudFlare urged internet users to run their own tests on a dummy server with the Heartbleed bug. Hackers had to steal the security certificate from the server, then send a message to CloudFlare that was "signed" with the certificate in order to prove they had obtained it. Within nine hours of the |challenge's launch - and three hours after he began working on the |problem - a hacker named Fedor Indutny became the first to crack the code. "It was just a fun way of spending Friday evening time, and a good chance to try my skills in a legal hacking action," Indutny wrote in an e-mail to the Washington Post. "After starting a script on a cloud server, I watched a movie and totally forgot about it. Checking the logs in approximately one hour, to my surprise, revealed a private key to me." Indutny's coup was quickly |followed by three more successful attempts at hacking the security key. One of the hackers, Ben Murphy, said it took him two hours to retrieve the secret key from CloudFlare's server. Stealing the certificate is labour intensive. Indutny's attempt involved making 2.5 million requests of the CloudFlare server before he finally obtained the key. But what was thought to be |impossible now turns out to be doable. Websites can indeed be tricked into giving up their identity papers, and those papers can be reused by malicious actors. Changing your passwords will not protect you if you give them unwittingly to a hacker pretending to be your web mail provider. In the days after Heartbleed was revealed, many websites raced to update their systems. Those fixes plugged the immediate hole so hackers could no longer take |advantage of the vulnerability. But in light of this latest discovery, many sites still appear to be vulnerable; an attacker could have used Heartbleed to steal a site's valid security keys any time before the site patched its systems. The next step, experts say, is for all 500 000 affected sites to revoke their security certificates and issue new ones. But as necessary as that process is, it could have dramatic consequences for users' everyday experiences. When you visit a secure site, your browser checks the site's security certificate against a list of |invalidated certificates. Depending on how it is designed, the browser probably downloads that list to your computer. Because sites rarely change their certificates, the lists are relatively short. But the Heartbleed exploit now requires hundreds of thousands of sites to add their certificates to the list, practically overnight. The |certificate revocation lists will become bloated with new entries. And browsers will continue to download the now-massive files, according to Paul Mutton, a security consultant at the web services |company Netcraft. Checking a site's identity will take vastly longer. "If a certificate authority has to revoke 10 000 certificates, that entry will have 10 000 certificates on it," Mutton said. "And if |browsers have to download that… we're talking hundreds of megabytes." It's roughly the equivalent of |having to download 30 minutes' worth of standard-definition video just to view a single web page. Healey, of the Atlantic Council, said web security firms were left with two options. The first option is to risk slowing down the web in exchange for greater security. The second option is not much better. "What's the other solution? Ask people to be vulnerable for longer? That doesn't strike me as |particularly reasonable," he said. |- Washington Post The Heartbleed bug has caused anxiety for people and businesses. Now, it appears the computer bug is affecting not just websites, but also networking equipment including routers, switches and firewalls. The extent of the damage caused by Heartbleed is unknown. The security hole exists on a vast number of the internet's web servers and went undetected for more than two years. Although it's conceivable that the flaw was never discovered by hackers, it's difficult to tell. There isn't much people can do to protect themselves completely until the affected websites implement a fix. And in the case of networking equipment, that could be a while. Here are three things you can do to reduce the threat: l Change your passwords. This isn't a foolproof solution. It'll only help if the website in question has put in place required security patches. You also might want to wait a week and then change them again. l Worried about the websites you're surfing? There's a free add-on for the Firefox browser to check a site's vulnerability and provide colour-coded flags. Green means go and red means stop. You can download it here: https://addons.mozilla.org/en-US/firefox/addon/heartbleed-checker/ l Check the website of the company that made your home router to see if it has announced any problems. |Also be diligent about downloading and installing and software updates you may receive. - Sapa-AP Cape Argus (c) 2014 Independent Newspapers (Pty) Limited. All rights strictly reserved. Provided by Syndigate.info, an Albawaba.com company |