Sunday, April 13, 2014


Is this Bug Bleeding Us of Our Security on the Internet?

            The Heartbleed Bug—or CVE-2014-0160, as it is officially known—has a lot of people worried about their privacy and security online. The bug, discovered on April 7, 2014, is a weakness in the “OpenSSL cryptographic software library” that enables hackers to steal private information from unwitting victims. Problematically, OpenSSL is the most of its kind, and it is likely that everyone using the internet was affected, either directly or indirectly. 

Any information that was stolen would normally have been protected by the SSL/TSL (transport layer security) encryption, which secures information in the internet. However, the Heartbleed flaw allowed hackers access to users’ email, instant messaging, and virtual private networks. All of this was done without leaving a trace.


            As explained on the Heartbleed Bug website:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”



            A new version of the software has been released—Fixed OpenSSL—which lacks the flaws of the older version. The vulnerable versions have been identified as OpenSSL 1.0.1 through 1.0.1f. These versions were released beginning in March of 2012, and have been spreading for the past two years. The fixed version was released on April 7, 2014.



            It is impossible to tell whom this bug has affected. Before it was discovered by security engineers and Google security expert in Finland, it went undetected. Today, there are websites that test whether a URL is vulnerable, and allows users to see for themselves what passwords they need to change to stay protected.

            Websites are now attempting to determine whether the bug affected them, and what security measures and changes need to be put in place before they can be safe again. Meanwhile, consumers are worried about the possibility that their credit card numbers and other personal information are in the hands of hackers. Computer security experts have urged all internet users to change their passwords to be on the safe side. Passwords for email accounts, bank accounts, and even Facebook and Twitter can all be used to possibly exploit users.
 
            Further complicating the matter is the revelation that not only websites are vulnerable to the bug: many internet devices are as well. At least two-dozen devices have been identified as vulnerable, from servers and routers to video cameras and videoconference devices. Companies would have been especially susceptible to these types of attacks. Hackers would have had access to phone conversations and voicemails, and no one would have been the wiser.

      

 Not just businesses are vulnerable, though. Thousands of people are at risk of bring hacked if they use certain smartphones. Despite Google’s statement that all of its Android phones were immune to attack, the company added a “limited exception.” However, this exception is not so limited, as the vulnerable version, 4.1.1, is used by 34% of Android users. This version is used in “millions of smartphones and tablets,” making many consumers vulnerable to attack.

Recent revelations have made the Heartbleed Bug even more of a contentious issue. Three days after the Heartbleed Bug was revealed to the masses, reports surfaced that indicated the NSA knew about this bug for two years, and used the vulnerabilities to further spy on U.S. citizens. The NSA exploited the flaws in the OpenSSL software to gather intelligence on internet users and to “pursue national security interests.” However, by failing to tell everyday internet users of the bug, the government left millions of people unprotected from hackers, both international and domestic.

            The NSA denied these reports, claiming that they find out only when the bug was “discovered” by the Codenomicon engineers and Google on April 7th. An email from the ODNI stated, “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong.” Given the revelations made by Edward Snowden regarding the PRISM program, U.S. citizens are not necessarily inclined to trust the word of the government when it comes to spying.

So with the knowledge that hackers go completely unnoticed, and leave no trace of their presence, the question comes to mind: if using this bug to hack into vulnerable systems leaves no trace of attack, who is to say that the government itself wasn’t ever under attack? Intelligence services all over the world, or even stateless actors, could have gained access national secrets, or federal employees’ identities. If no one can trace them, how will we ever know if they were there?

In the end, if the NSA knew of the Heartbleed Bug and did nothing to warn American citizens, it made a grave mistake. This bug left the security of millions of people vulnerable to attack by hackers, foreign intelligence services, and criminals. If the U.S. government didn’t know about the bug, then what else don’t they know?









No comments: