April 14, 2014

TSG IntelBrief: Fort Cyber: Unlocked Doors and Heartbleed

• The Heartbleed security flaw is a two-year long unlocked door on what were assumed to be encrypted sessions between web sites and users

• The weak spot affects the S in HTTPS, by allowing access to encryption keys and certificates, making the information (past and present) stored in memory easy prey for intruders

• Cybersecurity experts advise that after a visit to the sites in question (which included Yahoo and Google, among hundreds), a change in password is strongly advised, though there is some debate among IT professionals on whether to change them now or wait until the site is fixed

• The global economy depends, in part, on explosive growth in the use of web-based applications and transactions, all of which are at risk when fundamental assumptions about the security of data transfers are proven wrong

• This latest and unprecedented flaw highlights that more resources need to be put into open source security (such as the OpenSSL that Heartbleed affects), given the ubiquitous nature of these protocols.

With last week’s announcement of the Heartbleed Internet security flaw, the web browser lock symbol that indicates secure data transmission—perhaps the one aspect of Internet security that provides users with the veneer of e-trust upon which global economies are being built—was revealed to be practically unlocked.

With headlines ranging from serious-but-survivable to apocalyptic-or-worse, it is important to understand the issue and, more importantly, what it means moving ahead. Some numbers provide perspective for the scale of what we’re talking about:

Over 2 billion people have regular access to the Internet, sending over 144 billion emails every day, and using servers vulnerable to Heartbleed.

Eight new people go online every second (that’s 691,200 new users every day).

One billion smart phones (many of which are vulnerable to Heartbleed) were shipped in 2013 alone.

Smart phone users downloaded between 56-82 billion apps for their phones, including apps used in financial and commercial transactions thought to have been protected by our heretofore trustworthy lock symbol.

For further background on what all the consternation is about, a straight forward explanation of a complicated issue:

Heartbleed is a two-year programming flaw in something called OpenSSL, an open source consortium that builds and maintains a library of tools that essentially encrypt two-thirds of the Internet’s traffic. The technical terms are TSL (transport socket layer) and SSL (secure sockets layer), the bedrock upon which the financial and commercial aspects of the Internet are built. Heartbleed (named because the flaw exploits the ‘heartbeat’ between a user and a site, the electric handshake that tells the other who they are) enables a cyberintruder to see this heartbeat in clear text and then use it to potentially steal sensitive information. While two-thirds of Internet traffic go through servers using some version of OpenSSL, all of those aren’t using the vulnerable version of OpenSSL, meaning perhaps only 17% of all Internet traffic is vulnerable until fixed—still a huge and unacceptable number.

While bad enough, it’s not just a user’s login and password information that are at risk. The site’s certificates—issued by a trusted certificate authority—are vulnerable, meaning criminals have access to files in their RAM (random access memory). This means the criminals, wherever and whoever they may be, have the user’s log-in information for HTTPS sites and the data stored on those sites. To make it worse, there is no way to detect if a user’s information or a site has been exploited. Think of it this way: the alarm didn’t go off because it wasn’t turned on in the first place. This complete inability to know if sites have been attacked, combined with the ubiquitous nature of OpenSSL (used in the very common Apache and nginx servers), accounts for the dramatic headlines. It’s not a hack or breach in the traditional sense, because the targets were everywhere, almost a global hack waiting to happen.

While it’s clear when the flaw began (December 2012), it’s unclear how widely known it was. One of the strengths of the open source software and security environment is that many eyes looking for bugs are better than a few. Instead of a single department of a single tech firm being responsible for keeping flaws out of widely used code, open source uses the wisdom of crowds—in this case computer programming crowds. Security researchers from Finnish cyber firm Codenomicom and a Google engineer found the flaw on April 7, setting off a mad dash to try to fix a worldwide problem without telling the world. Truly a modern conundrum, and one that will be repeated if more resources aren't put into maintaining and improving open source software that increasingly becomes the foundation of commercial products and services.



• As the information age moves into the “Internet of things,” problems like Heartbleed will become much more challenging and corrosive to trust and growth. As more devices send more data (our watches, televisions, cars, medical devices, etc), the risk of catastrophe grows apace

• More resources will be needed to back up what is essentially a large group of volunteers and near-volunteers that create and update the vital open source software that runs huge sections of our economic and social world

• (set up by Codenomicom) contains a technical explanation of the issue.


For tailored research and analysis, please contact:

 Screen Shot 2013-10-21 at 9.32.42 AM