The following two tabs change content below.

Joseph Iacoviello

Latest posts by Joseph Iacoviello (see all)

On Monday, April 7th, the OpenSSL team reported the Heartbleed bug to the world. OpenSSL is the software that is used to encrypt or hide the data coming from your computer to the website. It is widely used; any url that starts with https:// uses OpenSSL as a means to encrypt the data in transit. The Heartbleed bug allows an attacker to grab private data from a server which allows him to decrypt the private data that OpenSSL is hiding. It is estimated that two-thirds of the internet can be exploited using the Heartbleed bug.

Each website using OpenSSL uses a specific code to encrypt their data, called a private key. This code is used by the server to decode the data so that the server can communicate with your browser. This code must remain a secret for the data to be secure, anybody who knows the private key can decrypt the data. To exploit the Heartbleed bug the attacker sends a specific command to the server. The server then replies with a memory dump of 64 random kilobytes of memory. If the hacker did not find what they wanted in that section of memory, they can exploit the bug again indefinitely until they get the data they want. Using this method they will eventually get the private key.

The bug was discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. The OpenSSL team then proceeded to carefully alert the major companies who use SSL to encrypt their data. Although the exploit was reported on Monday, it was discovered earlier. The problem with an exploit this widespread and this serious is that alerting the public right away will alert the hackers as well as the server admins. This leaves a dangerous time period between hackers knowing about the bug and server admins fixing the bug where any server can be hacked, and private data from users leaked. Because hackers typically respond to new exploits much faster than server admins can, many sites will be hacked if OpenSSL releases this information to the public right away. The team first released the information to sites like Facebook and Google, but Amazon and Yahoo were not notified until Monday. Even some branches of Google were not notified. The more people know about the exploit, the higher chance the exploit will be leaked prematurely, allowing hackers to attack servers that have not had the chance to patch the bug yet. Alerting service providers before the general public is a very common tactic on zero day exploits (exploits that are discovered by security researchers and may or may not be exploited by hackers). OpenSSL was forced to release the information when they got a message from a Finnish cybersecurity firm warning them that the secret was out. Because of this early release, some companies like Amazon and Yahoo who would have been notified were left scrambling to release server updates.

Very rarely is there a bug as serious and as widespread as the Heartbleed bug. Unfortunately, the Heartbleed bug has been in existence since New Year’s Eve 2011, so it is very possible that your data could already be compromised. If you haven’t done so already, you should change your passwords on every site. It is also recommended that you use two-factor authentication instead of only your password, because hackers would not be able to access your account with only your password.

Joe Iacoviello