The Heartbleed bug is big, probably the biggest security story of year, far outweight Apple and NSA reports. It’s still getting growing and were going to be having fallout from this for a long while.
There is definitely going to be mall fallout from this once we realising that the problem is much bigger than we realised and finding out just how much stuff was taking during the periods that this bug had not been patched in. The heart bleed bug is a big, really big problem.
What is the Hearbleed Bug.
Hopefully my semi technical writings will make sense. So in brief this bug exists in OpenSSL which is the SSL powering layer for our lots of different software. In this example the Linux and linux servers which are used around the world for powering websites and providing hosting.
So if you have a website with HTTPS enabled and and you’re running Apache or engineX as your web server those use open SSL on their backends to power the SSL component. Given HTTPS is widely used on millions of websites it affects a whole host of things.
The HearBleed Bug was introduced into the software way back in 2011
With a maliciously formed TLS request you were able to have the server respond back to you with 64K of arbitrary memory from its process space and if you kept making request to get a different 64k of memory.
Things got way too technical reading up on it like exactly how you requested the memory or what memory you were given but the bug would let you read the raw memory and output it back to you..
Now the problem is, what is in the memory space of the open SSL process is the entire web server thats running it. So anything process local, the web server traffic for example.
The biggest problem is the SSL keys like the private key of the web servers using on its end to encrypt and decrypt the traffic. the private key could have been sent back in a response to the attacker to say say hey here’s my private key. So the attacker could query a bunch of servers basically, get all these random memory contents back and just try a bunch of them try a bunch of the segments within that as a key and see if it decrypts the traffic so you already have the public key when you made the connections.
In laymens terms it potentially allows the attacker to view what;s going on over HTTPS
So it’s it’s pretty bad it’s it’s a pretty bad thing. People are saying like you would only be old to get the Private Key if the server had only just been recently restarted, I don’t know the details of all that but the part that matters is that you could get the private key. Plus anything else that was going through the web server process at the same time including the traffic and if your application ran in the web server process (like Apache when it runs modPHP) all of that was potentially exposed
How Much Is Exposed?
Webservers are majoritively powered by Linux. One particular choice that seems to be popular is because it’s extremely conservative and generally very secure by default. You don’t really have to be a security expert to make CentOS reasonably secure you can pretty much leave in default and security will be pretty good.
CentOS Its latest distribution, 6.05, RedHat Linux and a few other linux releases have similar release schedules for updates but the bug was so old it was still shipping in the latest Linux distributions.
These linux distributions power a heck of a of sites, almost any website host will offer dedicated linux hosting. So thats how old and how big Heartbleed is.
As it was only recently discovered it was it was basically patched but because it was still in effect by these conservative linux distributions, untouched this bug affects so so many sites.
Even Android is affected
Many is the time an Android fan will rise up and call Apple’s security into practise but now is not a good time for Android handsets. If you stil run Android 4.4.1 released back in 2012 you might seill be vunerable to heartbleed bug
How To Check.
tools have been released to check your favourite websites and after testing a few sites that I personally visited, about a quarter of them were still vulnerable the morning after the bug was discovered. So there had been an entire day in which to patch this exploit. The patches for all the mimics distributions were out the day before and the next day there was still major sites that were still vulnerable which is a horrible thing.
This isn’t limited to just servers, it might be if you had a load balancer or are rooted that runs embedded LINUX and if that version of embedded Linux has this flaw in it there are all sorts of places this could be, it could even actually exist on your home router. Anything that runs embedded Linux or embedded SSL could be affected by this bug
Itis a pretty big deal it’s really hard to know just how bad this will be, we know that the potential was really bad but what we don’t know is how much of it was exploited before these holes are being closed and how long it will be before all of the holes are closed.
So yes the hardly bug is a pretty major issue so what should you do.
Firstly go change any passwords that you use to log into any service or website. This might seem like overkill but it’s only way to be truly safe. There are some “check for heartbleed” tools out there on the internet that will take a look at a URL and let you know if the exploit has been patched. the role tours on the Internet that will let you check your favourite website to see if they have fixed the exploit so if you want some peace of mind these are worth searching out.
How to manage your password better.
If you want a way to securely store really complex and long passwords which will pretty much be hack proof then the biggest recommendation I can give is one password. It stores all of your passwords for the sites that you login to so at a glance you can see anywhere you have created a username and password and take the appropriate action.
The best thing is is that one password is actually on sale for half price at the moment for both Mac OS and iOS.
So what to do now you know just how big the problem is.
How to view all of your saved passwords for websites you’ve visited.
One password is a password manager and all that
One password is a password manager and all that
Leave a Reply