Categories

Online Security

Be Still My Bleeding Heart! Q&A on the HeartBleed Bug

What is it? 

It’s a bug in the method a server and you use to secure your communications back and forth. It is present when you see the little padlock in your browser and the URL begins with HTTPS.

Technical Explanation

It is a bug in OPEN SSL. It affects version 1.0.1 through 1.0.1f (inclusive), and it affects servers that run Apache and NGINX mostly. Open SSL is used in a lot of things and the complete list of what is affected has yet to be tabulated, so there’s probably other stuff too. Apache and NGINX are the important ones to start with.

What does it do?

It allows bad guys to get important secret info.

Technical Explanation

A malicious actor can use the heart beat feature in the vulnerable versions of OPEN SSL to read the servers live memory, 64k at a time, an unlimited number of times.

They can try to extract valuable information, such as username and passwords, or worse, the private key used in public/private keypair crypto from the data they collect. This is especially damning as the heartbeat channel typically isn’t monitored, so this attack leaves no traces.

Is it bad? 

Yes. The sky isn’t falling, but yes, it’s a bad one.

Technical Explanation

Most of the testing has been done in a controlled environment, against servers that the testers owned, so it may be different in the real world, but private information was successfully retrieved with this method.

A few brave souls have actually run POC code against servers they did not own, without the owners explicit permission. These people were able to retrieve some important information also, as well as opened themselves to all sorts of legal problems for performing free, unrequested, unauthorized penetration tests and kindly providing evidence that can be used against them on their blog. (We usually call that hacking, by the way.)

How can it be fixed? 

The Sysadmins of the affected servers need to fix this. It’s on them.

Technical Explanation

This needs to be addressed on a per server basis.

If the server is using a vulnerable version of Open SSL, the Sysadmin for that server needs to upgrade Open SSL to 1.0.1g or recompile it with the -DOPENSSL_NO_HEARTBEATS switch to disable the heart beat feature if upgrading isn’t an option. They should get all new certificates, and to be extra safe perform a password sweep, and recommend their users perform one as well.

Why did we not know sooner?

Open SSL is free and maintained by a small team of volunteers. Because it’s free, lots of people use it. Mistakes happen.

Technical Explanation

Open SSl is maintained by a small team of volunteers, who don’t get paid for their efforts. Maybe it would be time to fund them properly, seeing the large number of services that rely on Open SSL. Perhaps we should start looking at performing in depth code reviews of all open source projects that power the infrastructure of the web?

Recent events have confirmed that there are adversaries actively trying to weaken secure communications in order to ease their interception, regardless of the fact that it makes them easier to access by anybody

So What should I do? 

Addendum: Maybe wait until the service you use, that is affected, has addressed the issue.

Cnet has compiled a list that shows services that have patched/recompiled Open SSL: http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

As always, stay safe, and don’t hesitate to post questions in the comments.

@Jean_Taggart


  • Dana Booth

    I’ve never used a password manager for the simple reason that if it’s hacked, doesn’t the hacker get all of my passwords at once???

    I actually keep a handwritten list of all of my passwords, and yes, they’re all different, and yes, there are a bunch of them. There are some patterns to help make some more easily memorable, but it certainly doesn’t follow that if one is found out, the rest are known. The problem of course would be if I lose my list.

    Please convince me of which is better and why :)

    Thanks!

  • Jean Taggart

    While it is true that a password manager does introduce a single point of failure, what I hope to achieve with this recommendation is an “ease of use” scenario. A quick look at my password managing solution shows 3 full screen worth of passwords. To clarify, I need to scroll a whole page down 3 times, filled with entries of a font size around 10. That’s a lot of passwords! These are just for stuff I care about.

    If I had to manage this many passwords with a pen and paper I would find it daunting, to say the least. While I’m employed in the technology sector and this perhaps makes me more of an edge case, the average user now has to deal with an ever increasing list of services that uses passwords.

    As flawed of an authentication method as they are, it’s the best thing we have for now. A password manager can also generate passwords that are significantly more resistant to brute force attacks. Something like “c7Q_37THwiamx$5^” will be much more resistant to tools like John The Ripper https://en.wikipedia.org/wiki/John_the_Ripper
    or OCL HashCAT-plus https://hashcat.net/wiki/doku.php?id=oclhashcat_plus.

    Developing an easy way to memorize something like the earlier mentioned “c7Q_37THwiamx$5^” would be… awkward. Having played around with HashCAT I can tell you that patterns that I thought would introduce greater entropy didn’t slow it down much.

    So if pen and paper works for you, good. I suspect that this method may become unwieldy in the near future. What do you do when you start rotating passwords as services you use are affected by something like HeartBleed? Do you also change them periodically, for no reason other than to frustrate potential adversaries?

    Perhaps keep the crown jewels passwords on paper, in a safe in your home office, and use a service like lastpass for all the other less important stuff.

    The main thing is to find something that works for you. My tin foil hat is huge, and I sympathise with you. I stayed with the pen and paper method for the longest time, until I caught myself experiencing “password fatigue”. https://en.wikipedia.org/wiki/Password_fatigue

    That’s when I started using a password manager.

  • https://www.facebook.com/EdmundTang Edmund Tang

    Does the use of 2FA reduces the importance of Passwords and Password Managers? It really doesn’t matter when my password is compromised when you still required to input a code from your mobile phone or proprietary Tokens (like those issued by banks).

  • thatrandomswedishguy

    I am just wondering, wasn’t lastpass affected by heartbleed or is that some rubbish that the swedish gov ********

  • Pingback: Media hype on heartbleed – explaining… | Fixvirus.com

  • Sue

    I just found out about HeartBleed the other day when Pinterest emailed me at my yahoo mail account. I thought it was a phishing attempt. Anyway, now that I’ve read several articles, I’m confused. Yahoo mail and gmail were one on the list of effected sites. Does this mean that for the past 2 years that this bug’s been around, lots of my info has been stolen? i.e. both yahoo and gmail ask my personal name, address, phone etc. when I created accounts. Also, some websites that I’ve been buying from online over the last few years, if they were using open source, my credit info has been stolen?

  • Jean Taggart

    Hi Guys (and gals)

    I’m going to reply to all, for the sake of expediency,

    Edmun Tang: Yes, 2 factor is good. It won’t protect you if your password has been compromised, but resetting it will be easier. It will not reduce the value of a password manager, as I recommend it for the aforementioned “ease of use” case.

    thatrandomswedishguy: Yes lastpass was affected, but they have additionnal measures that mitigated this risk, read about it here: http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

    Sue: There is no 100% guarantee that your accounts have been exploited. To play it safe, use the hit list from mashable in the blogpost to check if services you use were vulnerable, and go from there. As I mentioned earlier, changing passwords periodically is not a bad thing. If you have to juggle a bunch of them, as most of us do, password management tools might be something you want to look into.

    I hope this helps, and as always, don’t hesitate to comment for further clarifications.

  • richard bubb

    So, if I haven’t used a very old and rarely used password for a few months, but want to use it in the near future, could I be safe thinking that the old PW was not bled-out?
    And from what I’ve read, (most) hackers possibly didn’t know about heartbleed until earlier this week, so their efforts to acquire it are only just now being attempted?
    I am just trying to not have to change about 95 PW at one time (yeah, I checked my LastPass Vault… 95 PW!).

  • Jean Taggart

    richard bubb: TL;DR

    Sorry, assume it’s been compromised. You can check this:

    http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

    and

    http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

    To confirm if it applies to you, and change it accordingly.

    “…very old and rarely used password…” You don’t mean you re-use passwords, I hope?

    And now for the long explanation:

    The pernicious thing about the HeartBleed bug, is that it’s been around for about 2 years. While the documented attacks (CRA, Mumsnet) can only confirm the exploitation of the bug as a result of it being publicised, and vigilant Sysadmins subsequently actively monitoring traffic for specific traits indicating that a malicious actor is indeed “bleeding out” info. We have no way to tell if it was exploited further in the past, as the TLS “heart beat” communication channel wasn’t typically monitored. :(

    I see you use LastPass, excellent! Triage the passwords to change. Keys to the kingdom first. Use the LastPass password generator for extra entropy. Set yourself a goal to do a few a day to make it more manageable. I feel your pain, I’ve been working my way down my list also. I’m getting pretty tired of filling out captchas, but I also got the opportunity to update recovery emails…

    Hope this helps,

    @Jean_Taggart

  • Pingback: Another Game Company Fails To Notify Users Securely | Malwarebytes Unpacked

  • Thalbert McGinness

    If I have some accounts with some susceptible sites that I haven’t logged into in 4-5 years, what’s the best protocol?
    i.e. If I don’t go in to change my password, no information is exposed, right? Then my membership expires and all is under the bridge.
    Right now, according to CNET and mashable, I have less than a half-dozen that are in need from the heartbleed bug.
    I do have some older ones that have some duplication that I am cleaning up over time but none in the line of sight of this problem.

  • gizmoprof

    In general, Heartbleed does not affect Windows systems, unless they are running an application that requires openssl… like Cygwin or MKS, and other unix emulators.

  • https://www.facebook.com/chris.hopes.75 Chris Hopes

    A password manager seems a great if you only use one method of access, but I, like many, also access social media, email accounts, and many other websites using either my smartphone, tablet, or laptop. I fail to see how can these other devices replicate the passwords generated by a password manager on my PC?

  • Pingback: » http://blog.malwarebytes.org/online-secu … Computer Chat

  • https://www.facebook.com/fredrik.malcus Fredrik Malcus

    Hi Chris,
    Lastpass does what you write and more. I use it on pc, pad, android …
    /Fredrik

  • Jean Taggart

    Hi Guys (and gals)

    I’m going to reply to all, for the sake of expediency,

    Thalbert McGinness,

    You should be ok. I would change them anyways, but make them a low priority.

    Chris Hopes,

    LastPass is available for the desktop, and IOS and android. Find the solution that works for you, which in this case looks like something that spans multiple devices, hence why I was recommending LastPass.

    Fredrik Malcus,

    You answered Chris. :D

    gizmoprof,

    Alas, Windows is affected. The heartbleed bug affects servers that you log into, regardless if you’re logging from a Linux, OSX, or Windows… So no free pass.

  • James Schilling

    I recently wrote a blog post sharing a method I came up with for keeping track of this stuff without sacrificing security. If you do it right, and as recommended, it should serve as a secure method of jogging your memory as to what your password might be and what your other login info is…

    http://mcdarksalot.blogspot.com/2014/04/using-login-info-documents-to-keep-track-of-Login-Info.html

    Enjoy!

  • https://www.facebook.com/chris.birkbeck.9 Chris Birkbeck

    I tried using LastPass and was very disappointed! It is very unwieldy to use and not user friendly at all. Another problem is if you have more than one user on your computer, It will only save passwords for 1 person per website. If you want more, you have to pay through the nose. Not a nice system at all. It also slows my machine down. I am considering removing the **** thing! Not the kind of product I would have expected MalwareBytes to recommend!

  • Jean Taggart

    Chris Birkbeck,

    I’m sorry to hear that it has given you so many problems. Although we aren’t affiliated in any way with LastPass, I have used it and I thought the experience was pretty seamless.

    There are others you might want to give a try, see if something works better for you. There’s a lifehacker article covering all the competitors, with pros and cons.

    http://lifehacker.com/5799036/the-best-password-utilities-that-dont-store-your-data-in-the-cloud

    Try these out and see if you can find something that works for you. I’m sorry that LastPass failed you. My goal with this post was to provide the easiest solutions, but nothing ever is a one size fits all.

  • Pingback: Be Still My Bleeding Heart! Q&A on the HeartBleed Bug | Juandrah's Interests, Information, and Useful Links to Things You Might Like!

Subscribe to our YouTube Channel