What isn’t true about Heartbleed

From http://www.scmagazineuk.com/government-slated-as-mumsnet-becomes-first-uk-heartbleed-victim/article/342671/

“The flaw enables attackers to hijack the encryption keys in OpenSSL versions 1.0.1 to 1.0.1f and steal user data.”

* NO. The flaw enables attackers to harvest random data from a server, which may be anything. Encryption Keys. User Data. Junk. Bits of Programs. Snippets of email. Anything. This quote makes it sound like a user can be targeted, which goes against everything I’ve read about Heartbleed.

* Also <SIGH>, Heartbleed is NOT A VIRUS. It’s either a vulnerability or an exploit (?). This makes a big difference, because no amount of anti virus software will protect anyone. The other thing that isn’t being pushed enough is that it’s the website that’s at fault, not the device. It doesn’t make an ounce of different whether you’ve been buying from, for example, Amazon on a MacBook Air, Android tablet or Windows PC because the fault lay with Amazon (or whoever).

* Also, I don’t think Heartbleed is a bug either. In my mind, a bug causes a program to go wrong. Heartbleed did not cause OpenSSL to “go wrong”- it didn’t crash, or arbitrarily start sending data of its own accord. OpenSSL was being asked to return the heartbeat, and that’s what it did. Unfortunately, it wasn’t written to check whether the requested data was the right length so the vulnerability occurred (and even more unfortunately, the “filler” it chose was the contents of RAM, which even more unfortunately again contained critical information).

The problem is that it’s taken 2 years to uncover this fault, during which time individuals must have logged on to affected sites thousands of times and therefore may have had their user credentials or other personal data harvested (or not, as the case may be).

This is the snag with the pro-scare-mongering side of it: no one individual could say whether they’ve lost data or not, because the whole thing is random. It’s a catastrophic flaw with unknown consequences (although granted: with the number of big sites affected, it’s likely a lot of people have had data harvested).

Advertisements

Heartbleed passwords: to change or not to change?

Some thoughts on the do-you-or-don’t you change your password:

  • Assumptions:
  • Data theft is entirely random- as far as I’m aware, even if the exploit can be automated it retrieves random data from the server. Therefore any given individual may or may not have had data stolen- it would be almost impossible to target an individual;
  • Large targets (e.g. Amazon, Google) are more likely to have the exploit run against them than small targets;

 

  • Why you shouldn’t change password
  • Any given site not patched (check at https://filippo.io/Heartbleed/), therefore if you change your password for that site it is at risk of being exploited again;
  • It’s being reported that there are a vastly greater number of attacks because of the recent visibility of Heartbleed, therefore your new password has a greater chance of being intercepted;

 

  • Why you should change password
  • Any given site might be patched (check at https://filippo.io/Heartbleed/);
  • The vast number of attacks mentioned above has its diametric opposite: a vast number of changes means the memory on web servers will be updating a lot, which means any given details should be in memory for a shorter time and may therefore be less susceptible to this exploit;
  • An old password may have been stolen at any point over a 2-year period; therefore if you DON’T change your password, stolen data could still be used to login. A 2 year period is a long time to steal data, given this site- http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge– reports that it took a (benign) hacker just a day to steal private keys from the CloudFlare challenge site;
  • Even if your account has been accessed you might be able to get in- an attacker might not change your password so that they can still get in while you are also simultaneously accessing the site;

I can’t answer any probability questions, but my money is on changing, rather than not changing.

Heartbleed fault

I suppose it had to happen. Although it’s unsurprising, the heartbleed fault may get across to the world that no IT system is secure- it isn’t just Microsoft’s stuff (let’s be fair, MS have at least been telling people for years- quite openly- which bugs they’ve found). Try subscribing to Apple’s security mailing list (security-announce-request@lists.apple.com)- stuff streams through for OS X, but it’s quite hard to find.

Bruce Schneier- http://bit.ly/1ea7ECa– implies half a million (minimum) web sites have been completely compromised.

I’m going to (a) change all my passwords and (b) change them more regularly.