my starting blogs: Heartbleed

Showing posts with label Heartbleed. Show all posts

Wednesday, 30 April 2014

Heartbleed used against net thieves

29 April 2014 Last updated at 12:53 By Mark Ward Technology correspondent, BBC News Radiator and thermostat

Heartbleed has put many smart home heating systems and other devices at risk. The Heartbleed bug has turned cyber criminals from attackers into victims as researchers use it to grab material from chatrooms where they trade data.

Discovered in early April, Heartbleed lets attackers steal data from computers using vulnerable versions of some widely used security programs.

Now it has given anti-malware researchers access to forums that would otherwise be very hard to penetrate.

The news comes as others warn that the bug will be a threat for many years.

French anti-malware researcher Steven K told the BBC: "The potential of this vulnerability affecting black-hat services (where hackers use their skills for criminal ends) is just enormous."

Heartbleed had put many such forums in a "critical" position, he said, leaving them vulnerable to attack using tools that exploit the bug.

The Heartbleed vulnerability was found in software, called Open SSL, which is supposed to make it much harder to steal data. Instead, exploiting the bug makes a server hand over small chunks of the data it has just handled - in many cases login details or other sensitive information.

Mr K said he was using specially written tools to target some closed forums called Darkode and Damagelab.

"Darkode was vulnerable, and this forum is a really hard target," he said. "Not many people have the ability to monitor this forum, but Heartbleed exposed everything."

Charlie Svensson, a computer security researcher at Sentor, which tests company's security systems, said: "This work just goes to show how serious Heartbleed is. You can get the keys to the kingdom, all thanks to a nice little heartbeat query."

Individuals who repeat the work of security researchers such as Mr K could leave themselves open to criminal charges for malicious hacking.

Threat 'growing'

The widespread publicity about Heartbleed had led operators of many websites to update vulnerable software and urge users to change passwords.

Paul Mutton, a security researcher at net monitoring firm Netcraft, explained that while that meant there was no "significant risk of further direct exploitation of the bug", it did not mean all danger had passed.

He said the problem had been compounded by the fact that a large number of sites had not cleaned up all their security credentials put at risk by Heartbleed.

In particular, he said, many sites had yet to invalidate or revoke the security certificates used as a guarantee of their identity.

"If a compromised certificate has not been revoked, an attacker can still use it to impersonate that website," said Mr Mutton.

The dangers posed by Heartbleed will persist for years, warn security experts

In addition, he said, web browsers did a poor job of checking whether security certificates had been revoked.

"Consequently, the dangers posed by the Heartbleed bug could persist for a few more years."

His comments were echoed by James Lyne, global head of security research at security software developer Sophos.

"There is a very long tail of sites that are going to be vulnerable for a very long time," said Mr Lyne, who pointed out that the list of devices that Heartbleed put at risk was growing.

Many so-called smart devices, such as home routers, CCTV cameras, baby monitors and home-management gadgets that control heating and power, were now known to be vulnerable to Heartbleed-based attacks, he said.

A survey by tech news site Wired found that smart thermostats, cloud-based data services, printers, firewalls and video-conferencing systems were all vulnerable.

Other reports suggest the makers of some industrial control systems are also now producing patches for their software to limit the potential for attack.

How tempting this was for malicious attackers was difficult to gauge, said Mr Lyne.

"We do not really know how much Heartbleed is being used offensively because it's an attack that is hard to track and log."

Thursday, 17 April 2014

Heartbleed may 'slow' web speeds

15 April 2014 Last updated at 14:13 Turtle sign

Browsing speeds could slow as websites update security systems to defeat Heartbleed attacks, warn researchers The struggle to fix problems caused by the Heartbleed bug may slow browsing speeds, warns analysis firm Netcraft.

The sheer number of sites refreshing key credentials may trigger delays, reported the Washington Post.

The updates could force browsers to keep downloading and checking long lists of safe sites which would slow attempts to reach those destinations.

The updates will help stop attackers posing as well-known sites using stolen security credentials.

Security check

About 500,000 websites were thought to be vulnerable to the Heartbleed bug which, if exploited, would let attackers slowly steal data from web servers.

Many sites, including Google, Facebook, DropBox and OKCupid, have now patched the version of the security software they ran, called OpenSSL, that was vulnerable to Heartbleed.

However, said Paul Mutton, a security analyst at Netcraft, sites also had to take action to change a separate security measure if they wanted to be sure that visitors' data did not go astray.

This separate measure is known as a security certificate and is a guarantee of a site's identity.

Heartbleed raised questions about the worth of the guarantee security certificates offered, said Mr Mutton. Using the Heartbleed bug attackers could seize secret keys used in conjunction with security certificates as an identity check.

"It would be safest to assume that all of the 500,000 certificates have been compromised," he told the BBC. "Most Certificate Authorities are offering to reissue and revoke for free, so there is no excuse not to take action."

However, he said, the revoking and reissuing of hundreds of thousands of certificates could have a knock-on effect on web browsing speeds.

When a user visits a site, their browsing program typically checks to see if the security certificate for that site has been revoked, said Mr Mutton. Under normal circumstances, this rarely causes a delay as relatively few certificates are revoked every day.

Now, said Mr Mutton, the numbers of revocations were growing, thanks to Heartbleed, with thousands more every day being revoked and reissued.

Heartbleed has made many firms rush to update website security credentials

Robin Alden, chief technology officer at certificate authority Comodo, told PC World that its renewal rates had gone up by a factor between 15 and 30 since news about Heartbleed broke.

It said it was providing tools to customers to help them check if sites were vulnerable to the Heartbleed bug.

"Certificate revocation has always been a bottleneck since SSL was invented," said Dr Mark Manulis, a senior lecturer at the University of Surrey's computing department who specialises in cryptography.

If Heartbleed led to large scale revocations that could cause problems, said Dr Manulis, as not all browsers downloaded lists and there were potentially hundreds of certification authorities to contact,

"Each browser would have to contact each of those authorities and download the lists because those lists are not shared," he said.

Mr Mutton from Netcraft said an added complication was being introduced by firms that issued new certificates but had not revoked the older potentially vulnerable ones.

"This is dangerous," he said. "If the old certificates had been compromised, they could still be spoofed and used for man-in-the-middle attacks even if the affected sites are now using new certificates."

Dr Dan Page, a lecturer in cryptography from the University of Bristol, said updating certificates and issuing new ones can take time.

"It takes time for the revocations to filter through the system," he said.

"Previously there have been breaches but not across everyone," added Dr Page. "That's definitely different here and is much more worrying."

Code check

Also struggling to cope with its workload is the organisation behind the OpenSSL software in which the Heartbleed was found.

In an open letter Steve Marquess, president of the OpenSSL Software Foundation, issued a plea for more donations and funding to recruit more people to help maintain the widely used software.

"While OpenSSL does 'belong to the people' it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support," he wrote in a blogpost.

"The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted," he added.

Annual donations typically amounted to about $2,000 (£1,195), he said, though this had briefly spiked following publicity about Heartbleed.

More money would help the Foundation hire enough staff to cope with all the requests it gets for help and to maintain the core code.

"There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work," he said.

"If you're a corporate or government decision-maker in a position to do something about it, give it some thought," he said.

Wednesday, 16 April 2014

Heartbleed hackers hit Mumsnet

14 April 2014 Last updated at 19:12 By Leo Kelion Technology desk editor The BBC's Rory Cellan-Jones explains what users should do next

A leading UK site for parents and the Canadian tax authority have both announced they have had data stolen by hackers exploiting the Heartbleed bug.

Mumsnet - which says it has 1.5 million registered members - said that it believed that the cyber thieves may have obtained passwords and personal messages before it patched its site.

The Canada Revenue Agency said that 900 people's social insurance numbers had been stolen.

These are the first confirmed losses.

The Mumsnet site's founder Justine Roberts told the BBC that it became apparent that user data was at risk when her own username and password were used to post a message online.

She said the hackers then informed Mumsnet's administrators that the attack was linked to the Heartbleed flaw and told them the company's data was not safe.

"On Friday 11 April, it became apparent that what is widely known as the Heartbleed bug had been used to access data from Mumsnet users' accounts," the London-based website added in an email to its members.

"We have no way of knowing which Mumsnetters were affected by this.

"The worst case scenario is that the data of every Mumsnet user account was accessed.

"It is possible that this information could then have been used to log in as you and give access to your posting history, your personal messages and your personal profile, although we should say that we have seen no evidence of anyone's account being used for anything other than to flag up the security breach, thus far."

Mumsnet is making all of its members reset its passwords

The site added that it was forcing its members to reset any password created on or before Saturday.

Canada's tax agency was one of the first major organisations to cut services as a result of the flaw in OpenSSL - a cryptographic software library used by services to keep data transmissions private.

However, its action last Tuesday appears to have come too late.

"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period," the agency said on a message posted to its homepage.

"Based on our analysis to date, social insurance numbers (Sin) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability."

"We are currently going through the painstaking process of analysing other fragments of data, some that may relate to businesses, that were also removed."

The Canadian tax agency published a statement about the attack on its website Heartbleed flaw

The Heartbleed bug was made public a week ago by Google and Codenomicon, a small Finnish security firm, which independently identified the problem.

OpenSSL is used to digitally scramble data as it passes between a user's device and an online service in order to prevent others eavesdropping on the information.

It is used by many, but not all, sites that show a little padlock and use a web address beginning "https".

The researchers discovered that because of a coding mishap hackers could theoretically access 64 kilobytes of unencrypted data from the working memory of systems using vulnerable versions of OpenSSL.

Although that is a relatively small amount, the attackers can repeat the process to increase their haul.

'Dangerous' advice

Mumsnet has been criticised for one aspect of its handling of the breach - its email to members contains an inline link that it suggests they click to reset their passwords.

The Heartbleed bug allows hackers to steal small chunks of data from a vulnerable system's memory

However, UK police had previously warned members of the public to beware of unsolicited email asking them to click links "even if they are from companies you are familiar with".

This is because fraudsters are taking advantage of Heartbleed to mount phishing attacks in which users are directed to spoof sites designed to steal their credentials.

"It is dangerous," Dr Steven Murdoch, a computer security researcher at the University of Cambridge told the BBC.

"Probably what [Mumsnet] should have done is sent out an email saying 'go to our website using the normal address [to reset the password]'.

"If people receive an email they have not asked for they should be suspicious."

By contrast Canada's tax agency said it would not call or email the individuals it believed to be affected by its breach in order to avoid giving criminals a chance to exploit the situation.

Instead it said it would send out registered letters.

"I believe we'll see many more of these announcements over the coming days," Keith Bird, UK managing director of internet security firm Check Point said.

"However, people should double-check that the website or service they use is actually advising them to choose a new password before making any changes to their settings.

"This way, they can be sure the website has updated its security, and that they're not running the risk of exposing a new password. And if a service does recommend changing passwords, don't choose one that you already use for other websites."

View the original article here

VIDEO: Heartbleed hackers hit Mumsnet

A leading UK site for parents and the Canadian tax authority have both announced they have had data stolen by hackers exploiting the Heartbleed bug.

Mumsnet, which says it has 1.5 million registered members, said that it believed that the cyber thieves may have obtained passwords and personal messages before it patched its site.

The Canada Revenue Agency said that 900 people's social insurance numbers had been stolen.

Rory Cellan-Jones reports.

View the original article here

Sunday, 13 April 2014

US warns of Heartbleed bug danger

11 April 2014 Last updated at 18:50 By Leo Kelion Technology desk editor Homeland security sign

The US government suggests users should change the passwords of patched online services The US government has warned that it believes hackers are trying to make use of the Heartbleed bug.

The Department of Homeland Security advised the public to change passwords for sites affected by the flaw once they had confirmed they were secure.

However, an official added that there had not been any reported attacks or malicious incidents.

The alert comes as several makers of net hardware and software revealed some of their products had been compromised.

Continue reading the main story

A German computer programmer has accepted responsibility for the emergence of the Heartbleed bug, according to a report in the Sydney Morning Herald.

Robin Seggelman, a 31 year old from Oelde - 120 miles (193km) north of Frankfurt - is reported to have made the mistake while trying to improve the OpenSSL cryptographic library on 31 December 2011.

"It's tempting to assume that, after the disclosure of the spying activities of the NSA and other agencies, but in this case it was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area," he told Fairfax Media.

"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."

Affected equipment includes network routers and switches, video conferencing kit, phone call software, firewalls and apps that let workers remotely access company data.

The encryption flaw can potentially be exploited to steal passwords and secret keys used to protect computer users.

Browser alerts

Experts say home kit is less at risk.

There had been reports that domestic home networking equipment - such as wi-fi routers - might also make use of unpatched versions of the OpenSSL cryptographic library used to digitally scramble sensitive data.

However, a security researcher at the University of Cambridge's Computer Laboratory said he thought this would be a relatively rare occurrence.

"You would have to be a semi-professional to have this sort of equipment at home," Dr Richard Clayton told the BBC.

News of the bug was made public on Monday

"It's unusual to find secure connections to a home router because you'd have to have a certificate in the device.

"If that certificate were self-signed it would generate browser warnings. Alternatively, you could be regularly updated but that would cost money."

UK internet service providers (ISPs) Sky, TalkTalk and Virgin Media confirmed that their home router suppliers had told them their equipment did not use OpenSSL.

Password resets

News of the Heartbleed bug emerged on Monday when Google Security and Codenomicon - a Finnish security company - revealed that a flaw had existed in OpenSSL for more than two years.

This had made it possible to impersonate services and users, and potentially eavesdrop on data communications.

Continue reading the main story

Internet security firm Cloudfare has cast doubt over how great the danger posed by Heartbleed is, saying it has been unable to exploit the flaw to obtain the secret SSL keys that would put people's data at risk.

The US company was one of those given early warning of the vulnerability before Monday's public announcement, and has had 12 days to carry out tests.

"Note that is not the same as saying it is impossible to use Heartbleed to get private keys," blogged software engineering leader Nick Sullivan.

"We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard."

The news prompted news site The Verge to lead with the headline: "Heartbleed security flaw may not be as dangerous as thought"

But Codenomicon - the security firm that sounded the first alert - stands by its warning.

"We know what we found," chief executive David Chartier told the BBC.

"Access to memory is a very serious vulnerability and it's great that people are taking quick action to upgrade and remediate the problem.

"If you search on the internet you will find many people have replicated the problem."

The flaw only exposed 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted.

The website set up to publicise the danger noted that it was possible to carry out such an attack "without leaving a trace", making it impossible to know for sure if criminals or cyberspies had taken advantage of it.

Media reports initially focused on the risk of logging into compromised online services such as webmail, cloud storage and banking, with some - but not all - companies suggesting users should reset their passwords.

Risk to business

Warnings from companies including Cisco, Juniper, Fortinet, Red Hat and Watchguard Technologies that some of their internet products are compromised may now place the spotlight on the corporate sector.

Dr Clayton explained how such a hacker could take advantage of the problem.

"If you managed to log into a router then the simplest thing you could do would be to change the DNS [domain name system] settings in there," he said.

"Then you could arrange that everything on the internet resolves correctly apart from, for example, Barclays.com, which you could set to resolve to a malicious site that asks for the visitors' details."

Junos Pulse - an app used to allow remote access to networks - is one of the compromised products

Prof Alan Woodward, a security expert at the University of Surrey, gave another scenario in which hackers could take advantage of flaws in virtual private network software used to let workers log into corporate networks when not in the office.

'Closely monitor'

"The worst case would be that they could reach in and see the keys," he said.

"Hence all the traffic going to and from remote workers that people thought was secure could potentially be decrypted.

"But you would be working through quite a few layers of things to get to that because the way OpenSSL is used is quite complicated."

The US government has said that it was working with third-party organisations "to determine the potential vulnerabilities to computer systems that control essential systems - like critical infrastructure, user-facing and financial systems".

Meanwhile, officials suggested members of the public should "closely monitor your email accounts, bank accounts, social media accounts and other online assets for irregular or suspicious activity, such as abnormal purchases or messages".

Rory Cellan-Jones looks at ways to manage strong online passwords

The UK has given similar advice.

"People should take advice on changing passwords from the websites they use," said a Cabinet Office spokesman.

"Most websites have corrected the bug and are best placed to advise what action, if any, people need to take."

View the original article here

Heartbleed: Do you need to worry?

10 April 2014 Last updated at 13:32 By Jane Wakefield Technology reporter Heartbleed logo

The bug could be a huge problem This week it has emerged that a major security flaw at the heart of the internet may have been exposing users' personal information and passwords to hackers for the past two years.

It is not known how widely the bug has been exploited, if at all, but what is clear is that it is one of the biggest security issues to have faced the internet to date.

Security expert Bruce Schneier described it as "catastrophic". He said: "On the scale of one to 10, this is an 11."

The BBC has attempted to round up everything you need to know about Heartbleed.

What is the Heartbleed bug? A heartbeat monitor

The bug exists in a piece of open source software called OpenSSL which is designed to encrypt communications between a user's computer and a web server, a sort of secret handshake at the beginning of a secure conversation.

It was dubbed Heartbleed because it affects an extension to SSL (Secure Sockets Layer) which engineers dubbed Heartbeat.

It is one of the most widely used encryption tools on the internet, believed to be deployed by roughly two-thirds of all websites. If you see a little padlock symbol in your browser then it is likely that you are using SSL.

Half a million sites are thought to have been affected.

In his blog chief technology officer of Co3 Systems Bruce Schneier said: "The Heartbleed bug allows anyone to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the name and passwords of the users and the actual content," he said.

"This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users," he added.

The bug is so serious it has its own website Heartbleed.com which outlines all aspects of the problem.

Do I need to change my passwords? Password in list of code

Some security experts are saying that it would be prudent to do so although there is a degree of confusion as to when and if this needs to be done.

Many of the large technology firms including Facebook and Google have patched the vulnerability.

Confusingly though Google spokeswoman Dorothy Chou specifically said: "Google users do not need to change their passwords." A source at the firm told the BBC that it patched the vulnerability ahead of the exploit being made public and did not believe that it had been widely used by hackers.

Some point out that there will be plenty of smaller sites that haven't yet dealt with the issue and with these a password reset could do more harm than good, revealing both old and new passwords to any would-be attacker.

But now the bug is widely known even smaller sites will issue patches soon so most people should probably start thinking about resetting their passwords.

"Some time over the next 48 hours would seem like sensible timing," the University of Surrey's computer scientist Prof Alan Woodward told the BBC.

Mikko Hypponen of security firm F-Secure issued similar advice: "Take care of the passwords that are very important to you. Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely."

How do I make sure my password is robust? Rory Cellan-Jones looks at ways to manage strong online passwords

The exploit was not related to weak passwords but now there are calls for a mass reset of existing ones, many are reiterating the need to make sure they are as secure as possible.

People should regularly change their passwords, said Prof Woodward, and they need to make sure that they choose something that does not relate to themselves, such as a pet's name. Words that don't appear in a dictionary are preferable as is a mixture of words and numbers.

For people whose attitude to passwords is to reset them each time they visit a site because they have forgotten them, there is help on hand.

Tools are now widely available that will store and organise all your passwords and PIN codes for computers, apps and networks. They can also generate passwords and can automatically enter your username and password into forms on websites.

Such tools store your passwords in an encrypted file that is accessible only through the use of a master password. Examples of such services include KeePass, LastPass and 1Password.

Some firms are starting to offer alternatives to passwords.

Mobile firms including Apple and Samsung are integrating fingerprint-readers which allow users to access their phone and certain functions on it just by swiping their finger on the screen.

Which sites are affected? Padlock and computer

There are half a million believed to be vulnerable so too many to list but there is a glut of new sites offering users the chance to check whether the online haunts they use regularly are affected.

The LastPass website has compiled a list as has new website Mashable. Meanwhile security firm Kaspersky directs people to the Heartbleed test.

While Facebook and Google say that they have patched their services, according to the Kaspersky blog, there is a long list of sites that are still vulnerable, including Flickr, OkCupid and Github.

One of the biggest tech firms remaining on the vulnerable list was Yahoo but, as of last night, it too seemed to have remedied the problem saying it "had made the appropriate corrections across our entire platform".

Many more sites will spend the coming days scrambling to do the same.

Bruce Schneier called on internet companies to issue new certificates and keys for encrypting internet traffic. Doing so would render stolen keys useless, he said.

What is the worst-case scenario? Hands on keyboard

The bad news, according to a blog from security firm Kaspersky is that "exploiting Heartbleed leaves no traces so there is no definitive way to tell if the server was hacked and what kind of data was stolen".

Security experts say that they are starting to see evidence that hacker groups are conducting automated scans of the internet in search of web servers using OpenSSL.

And Kaspersky said that it had uncovered evidence that groups believed to be involved in state-sponsored cyber-espionage were running such scans shortly after news of the bug broke.

Why has the problem only just come to light? Eye on computer screen

The bug was first spotted by Google Security and a Finnish security firm Codenomicon which said that it was introduced by a programming error.

Because OpenSSL is open source, researchers were able to study the code in detail which is why it was found in the first place.

But such code libraries are immensely complex so it can take some time for those who routinely examine the code to come across such problems.

"It was such an unexpected problem that it wasn't something that researchers would necessarily have been looking for," Prof Woodward told the BBC.

Is the bug connected to revelations about US and UK government snooping?

Edward Snowden leaked details about the US attempting to undermine encryption

There is no direct evidence although lots of speculation that there is a link after details emerged that the National Security Agency (NSA) explored ways to break encryption.

GCHQ simply said it had a "longstanding policy that we do not comment on intelligence matters".

And many seemed to think that the problem was down to bad code rather than anything more sinister.

"More of a cock-up than a conspiracy," said Prof Woodward, who has undertaken consultancy work for GCHQ.

Saturday, 12 April 2014