|The Heartbleed bug in OpenSSL allowed information to leak through the software’s heartbeat functionality. Image courtesy of Filippo|
Software is never completely free from bugs. Occasionally, a seemingly trivial bug can have far-reaching consequences. The Heartbleed bug in OpenSSL, which has gotten much media attention recently, is an example.
OpenSSL stands for open secure socket layer. This widely used set of software enables websites that might be collecting sensitive information to reliably identify themselves. This helps assure customers that they are dealing with those they think they’re dealing with. It also provides secure encryption of data sent over the Internet so it cannot be “overheard” by electronic eavesdroppers.
OpenSSL allows outsiders to query an OpenSSL server to ensure it is functioning. The sign that it is indeed functioning is called a heartbeat. The heartbeat response is a small piece of data sent from the server back to the user who initiated the query. However, a programming error left the data size of this query unchecked. Consequently, hackers could request a very long response that included whatever happened to be sitting in the server’s memory when it responded to the query.
By making many queries, a hacker can accumulate large amounts of sensitive information — supposedly secret information, such as passwords or credit card numbers — that customers sent to the OpenSSL server and, more importantly, the secret key that the server uses to identify itself to customers and to encrypt data. Possession of the secret key allows a hacker to eavesdrop on an encrypted conversation and create a website that masquerades as the real site from which the secret key had been stolen.
This sounds pretty scary, but in reality, although this bug has been present in one version of OpenSSL software for almost two years, there is no evidence that hackers were trying to exploit it before it was discovered a few weeks ago. A study from Lawrence Berkeley National Laboratory concluded that no attempts had been made to use this bug on any of their OpenSSL servers for the three months prior to its discovery. Furthermore, the secret key, the most dangerous piece of information that might be stolen, is not present in the server’s memory except right after the server is rebooted, so they are not easy to capture. Most commercial vendors were not using any vulnerable versions of OpenSSL, and sites that were vulnerable quickly patched their servers. The most sensitive systems changed their secret keys just in case.
At Fermilab, any servers that had been susceptible have since been patched, and they were not collecting any sensitive information anyway. Functions such as email, SharePoint, Fermilab Time and Labor, ServiceNow and VPN were never vulnerable.
This is yet another reminder that the Internet is a dangerous place. You must constantly be alert. Perhaps the biggest danger associated with Heartbleed is spam email pretending to be from some service that has supposedly been affected by the bug. As always, be extremely suspicious of any email message that asks you to enter a username and password for any reason.