Posts tagged found
You know that song lyric about the first cut being the deepest? It’s complete rubbish. Heartbleed taught us all that. Because the more we learn about this online data-security wound, the deeper that threat seems to go.
Discovered independently by Google engineer Neel Mehta and the Finnish security firm Codenomicon, Heartbleed has been called “one of the most serious security problems to ever affect the modern web.” I spoke with Codenomicon CEO David Chartier, who led the Finnish team that named and outed Heartbleed, to find out more about how his team discovered it, and how deep those vulnerabilities could go. (I’ve requested an interview with Mehta via Google, but as of this writing, have had no response so far.)
We All Bleed For Heartbleed
Heartbleed actually started out really small. In fact, it was just a slight, accidental gaffe committed by one coder. Had it been caught immediately, it would have required just filling in a missing bit of code. But it wasn’t. And now, that error has propagated to compromise much of the Internet.
The main problem is it that affects OpenSSL, a widespread open-source security protocol used by as much as two-thirds of Web servers. The other issue is that it went largely undetected for two years—plenty of time to perpetuate across the Web and leave sites, services and accounts big and small open to infiltration. (As the National Security Agency has reportedly done, although the White House has denied that.)
The initial flood of news reports focused on the hackability of user logins, financial information, emails, photos, medical records, and much more. But Heartbleed’s reach could be bigger than anyone imagined. The OpenSSL flaw affects any server or client that uses it, and that means it could span a huge number of things—including routers and phones, as well as citywide or municipal infrastructure, such as emergency services, transit and utilities.
How Heartbleed Surfaced
Codenomicon first discovered Heartbleed—originally known by the infinitely less catchy name “CVE-2014-0160”—during a routine test of its software. In effect, the researchers pretended to be outside hackers and attacked the firm itself to test it.
“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.”
The engineers found they could burrow in despite the cryptographic security layer, and were shocked at how much was up for grabs. They could access memory and encryption certificates, and pull user data and other records. “This is when we understood that this is a super significant bug,” Chartier said.
The revelation was startling, not only because of the access this hole could allow, but because of its insidious nature, Chartier said. “On top of that, we couldn’t find any forensic trail that we were taking this data.” The hack was completely untraceable.
But how did something this egregious and widespread go on undetected for two years? The error is buried in the code. The only reason Chartier’s team found the glitch is because Codenomicon uses a rigorous testing process using a very large number of test cases to find weaknesses, just like hardcore hackers do, Chartier explained.
“The vulnerabilities you find after many tests are often more interesting than the ones you find right away,” he said. “When you find one that’s difficult, it’s more interesting [to hackers] because they can write an exploit, and it will take more time to be found.”
The odds of finding it were slight, yet Google’s Mehta discovered the Heartbleed bug almost simultaneously. Chartier chalks it up to happenstance. “Google’s one of the leading companies in the world, and it’s constantly testing for vulnerabilities,” he said. It takes security testing so seriously, it even offers a bounty for exploits on projects like Chrome.
But not every company takes security that seriously.
A Fail To Remember
Codenomicon, being a Finnish company, alerted the Finnish National Security Cyber Center of its findings. Commonly referred to as “CERT,” the group urged the OpenSSL Project to provide an update and release it to the public.
Since then, the news has been circulating in both tech and mainstream media outlets, and Chartier has been impressed with how online communities have disseminated the Heartbleed information. “We’re better off today than we were a week ago, because of getting the word out there,” he said. “It’s making the Internet safer and more secure.”
Unfortunately, the Web is not where this problem ends. Other networks also need to apply the software update in both server and client devices. This includes gadgets like phones, computers and other communication devices. It also include numerous other technologies in the broader world, particularly as it relates to the Internet of Things.
Because Heartbleed affects OpenSSL, which is widely adopted, it can affect an extensive range of categories, including connected homes, citywide transportation, emergency services, power grids and other utilities—pretty much any large scale, connected systems. This can make locking all of them down tricky.
Organizations must update to the patched version of OpenSSL, revoke encryption certificates that authenticate their sites and issue new ones. But systems that haven’t gone through security and system testing may not be set up to handle update protocols efficiently. “There’s a lot of stuff out there that was built a long time ago,” said Chartier. “It wasn’t built for the type of stuff that’s coming out today.”
Security tests are essential for critical infrastructure, but unfortunately, there’s still a lot of room for improvement. “A lot of companies do a little performance testing, to see if [software] does what it’s supposed to,” he said. “But they don’t do enough security testing.”
Chartier thinks it could take up to a year or two before all or most of the old versions of OpenSSL out there get updated. In the meantime, things may get tricky.
At this point, many—though not all—of the largest vulnerable sites on the Web have patched OpenSSL against Heartbleed. With some of the smaller service providers and businesses, it may take a little more time. The most prudent users may want to assume that their data was compromised, and change those passwords on every site and service that has been secured. The Codenomicon chief recommends going through each provider, one by one, and “finding out if they used OpenSSL, and if they patched it.”
As for the companies and organizations, Chartier urges them to adopt more stringent security standards. “You need to put this type of testing into your build cycle,” he said. That’s the best chance at mitigating the risk—so threats don’t penetrate quite so deeply.
Feature collage by Adriana Lee for ReadWrite using images courtesy of Flickr user Marjan Krebelj and Heartbleed.com; heart lock image by Flickr user Alonis; David Chartier image courtesy of Codenomicon
View full post on ReadWrite
SEO Insight: How Reviews are Impacting Your Website's Ability to Get Found
Business 2 Community
If you're a local business owner, you know the importance of reviews—for brand recognition, customer retention and new business, and overall trust. You might have even taken steps to optimize your reputation online as review sites spring up seemingly …
View full post on SEO – Google News
Bing has officially launched a new feature designed to help users save, organize, and share the content they find on Bing searches. Bing Saves is available for access as a public beta on bing.com/saves, where you can also get toolbar bookmarklets that allow you to save content to Bing that you find elsewhere on the […]
View full post on Search Engine Journal
Google has agreed to several concessions after an investigation by Canada’s Office of the Privacy Commissioner found Google in violation of Canada’s privacy rights for the use of sensitive health history in remarketing campaigns. The investigation began last January, when a man…
Please visit Search Engine Land for the full article.
As part of our SEJ interview series, Mary Bowling of Optimized! joins us to discuss how to get found locally with local search optimization tactics. Local search is all about being found by people in your area who are looking for what you offer. For some businesses their entire livelihood is dependent on local […]
The post Getting Found With Local Search Optimization: Interview With Mary Bowling by @johnrampton appeared first on Search Engine Journal.
View full post on Search Engine Journal