OpenSSL Heartbleed: Bloody nose for OSS bleeding hearts

[rhoenix]

Robin Seggelmann, who accidentally introduced the password-leaking Heartbleed bug into OpenSSL, says not enough people are scrutinizing the crucial cryptographic library.

The Heartbleed flaw, which was revealed on Monday and sent shockwaves through the IT world all week, allows attackers to reach across the internet and silently siphon passwords, crypto-keys, and other sensitive information from vulnerable systems.

Any machine, whether it's your bank's HTTPS web server or your home router or your mobile phone, that uses OpenSSL 1.0.1 to 1.0.1f for secure connections is at risk, thanks to the Heartbleed bug. A new version of the library, 1.0.1g, is out now that fixes the flaw, and should be installed as soon as possible – then regenerating keys, updating SSL certificates and changing passwords can begin.

If a government spy or miscreant can grab a server's private SSL key, then, in the right conditions, any previously eavesdropped encrypted traffic can be decrypted, or the attacker can masquerade as the server – although extracting that particular secret key is no mean feat.

After The Reg got in touch with Robin Seggelmann this morning, we were given a statement by his employer, Deutsche Telekom in Germany.

In that missive, the developer admitted he accidentally bungled the implementation of a keep-alive feature called the TLS Heartbeat Extension for OpenSSL, which was committed to the library's source code on New Year's Eve in 2011. Essentially, he forgot to check the size of a received message, allowing miscreants to take a snapshot of the inner workings of the attacked software and extract sensitive data flowing through memory.

"A possibility arose that granted access to security-relevant data, and a really simple mistake now has serious consequences," Seggelmann said today of the Heartbleed bug. "Whether the now known and fixed bug has been exploited by intelligence agencies or others is difficult to assess."

Open source or open sores?
The crux of the matter is that OpenSSL is used by millions and millions of people, even if they don't know it, but this vital encryption software – used to secure online shopping and banking, mobile apps, VPNs and much more – has a core developer team of just four volunteers who rely on donations and sponsorship. The library code is free and open source, and is used in countless products and programs, but Seggelmann and others point out that the project receives little help.

"It is important to monitor critical and safety-related software as often as possible. This is the great advantage of open source software: it is freely available to anyone who wishes to participate," Seggelmann explained this afternoon.

"Unfortunately, despite very wide distribution and use by millions of users, OpenSSL does not have adequate support. In spite of its many users, there are very few who actively participate in the project."

OpenSSL's code is right here to examine – and the theory goes that "given enough eyeballs, all bugs are shallow," meaning that by making the blueprints public, flaws should be quickly spotted and fixed. But Heartbleed has shown that perhaps just two sets of eyes – Seggelmann's and OpenSSL core developer Dr Stephen Henson, who committed the heartbeat update – studied the faulty code before it was blindly hoovered up by other software makers and developers. And for such a critical package, that doesn't seem right.

"Unfortunately, even the OpenSSL developer who conducted the review of the code did not notice the missing check," said Seggelmann. "Thus, the faulty code was adopted in the development version, which later became the published version."

Already people are wondering out loud why more money is not being thrown at OpenSSL, assuming that will do the trick of fixing its bugs. Freeware disk-encryption tool TrueCrypt, favored by NSA whistleblower Ed Snowden, is being audited for vulnerabilities after security researchers raised nearly $60,000 in donations to fund the effort, proving there is a demand for the scrutiny of freely available software.

But auditing OpenSSL is a daunting task: it has 429,699 lines of code according to a SLOCCount analysis, about 73 per cent of which is in C, and its code is, shall we say, non-trivial in places. It would perhaps cost about $15.7m to develop from scratch with a team of 35 programmers over three years.

The fallout from this tiny but devastating bug
Various flavors of the Linux operating system potentially shipped a broken OpenSSL code, including Debian Wheezy, Ubuntu 12.04.4 LTS, OpenBSD 5.3, FreeBSD 10.0, and OpenSUSE 12.2; OpenBSD leader Theo de Raadt had some choice words about the bug. Apple's OS X and iOS software, and its websites, were not vulnerable, and neither were Microsoft Windows and the Azure cloud simply because Redmond uses its own SSL/TLS suite.

Google's Android 4.1.1 is vulnerable, which affects a large number of mobile phones. The web king also had to patch its Cloud SQL service and Google Search Appliances, plus its web services: Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Amazon also had to patch its cloud services. Google and Amazon users should pick new passwords just in case they were leaked by Heartbleed.

Websites Facebook, If This Then That, Tumblr, Yahoo! and Yahoo! Mail all had to update their servers to splat the data-leaking bug, and all urge their users to now change their account passwords.

And 16 networking products by Cisco and some Juniper networking kit are affected by Heartbleed. The roster of horror stories continues here.

El Reg tried to contact Dr Henson for comment, but he was not available to respond immediately. ®

Additionally, here's the best explanation I've found to explain the Heartbleed bug, and how it works:

[rhoenix]

More fun about HeartBleed & the NSA:

When I wrote about the Heartbleed bug last week, and how it means that much of the web has been insecure for the last two years, I found myself thinking: “if I was the NSA, or some other intelligence agency, this is exactly how I would go about gathering sensitive data.” It’s very nearly the perfect hack: Subvert a piece of open-source code that almost everyone uses without question, and then use that vulnerability to extract sensitive information until it’s publicly discovered — at which point, you create or find another security hole in another open-source project, rinse, repeat. Now, according to Bloomberg, citing two people familiar with the matter, it appears the NSA did just that.

According to Bloomberg, the USA’s National Security Agency knew about the Heartbleed bug “for at least two years.” Robin Seggelmann, who introduced the bug around two years ago, claims he did so unintentionally. It’s entirely possible that he’s telling the truth — but it’s also possible that the NSA paid him to create the bug, or more nefariously, hacked his computer and introduced the bug without his knowledge. Maybe the NSA wasn’t involved with the creation of the bug at all — maybe there’s just an NSA analyst who keeps an eye on important open-source projects, looking for bugs that can be exploited by the signals intelligence (sigint) teams. (If you want to know more about the Heartbleed bug, and how it came to be, read our explainer.)

Either way, if the NSA knew about the Heartbleed bug for two years and didn’t responsibly disclose it to the OpenSSL developers, this would be one of the biggest developments in the history of wiretapping ever. Forget about all of the Snowden-related stuff; it’s inconsequential small fry compared to Heartbleed. If the NSA has been using Heartbleed for the past two years… well, it isn’t good. It’s still very hard to accurately define exactly what was exposed by the Heartbleed bug. It could be as simple as lots of username and passwords — but given how encryption keys and security certificates were also made available by the bug, it’s entirely possible that the NSA had access to the private networks of governments and corporations around the world.

The NSA, for its part, denies knowing about the Heartbleed bug before 2014. Personally I find it a little too convenient, in the wake of the Snowden leaks and the growing distaste for the government overreach, that two people “familiar with the matter” come forward to say that the NSA had full knowledge of the most dangerous security vulnerability ever discovered. Don’t get me wrong: I think it’s very likely that the NSA keeps an eye on the source code of open-source projects, but I really struggle to believe that it wouldn’t disclose the bug. We’re talking about a bug that could damage the internet for years to come: If the NSA could’ve reported the Heartbleed bug two years ago, not doing so would’ve been criminally irresponsible.

But then again, I’m not naive. Given the significance of the bug, and the large amounts of money being plowed into cyberwarfare, espionage, and sigint operations, it’s very likely that an intelligence agency or blackhat group knew about Heartbleed. It’s quite possible that multiple groups, including the NSA, have been exploiting Heartbleed bug for a couple of years, all hoping that they were the only group that knew about it. Adding credence to this theory, there here have been some reports online of the Heartbleed bug being exploited back in 2013 — and if someone knew about it in 2013, it’s highly likely that other groups also knew about it.

Moving forward, our advice from last week still stands: You should install a password manager like LastPass, and only change your passwords once your web services confirm that they’re no longer vulnerable to Heartbleed. Really, the larger risk here is for institutions and corporations that are scrambling to secure their servers which may have been hacked into for the last two years without trace.

I'm not sure about trusting my passwords to an external source, but the rest of the article is certainly interesting.