Final Paper

advertisement
Kegan Storjohann
5/5/14
ISC110
Heartbleed Bug
The Heartbleed bug is one of the, if not, the largest security breach in the
Internet’s history. It completely exposed the vulnerability of the OpenSSL system,
which is meant to encrypt any sensitive information being passed from computer to
server and vice versa. In order to fully understand the full scale dangers and the
unique tactics of the Heartbleed bug you’ll have to understand how OpenSSL works
between computers and servers. It was invented to secure the Internet and ensure
the safety of your personal data being placed on the web. Most websites that trade
personal information or have passwords and usernames are run through OpenSSL.
The way OpenSSL works is almost like a conversation between the
user/computer and the server. For example; if you were buying something off the
Internet and the website needed your credit card information. Without SSL any
computer could access your information being sent to that server and take it for
their personal benefit. With SSL the computer first sends a “hello” to the server in
which they agree on how to encrypt this data. Second the server sends back a
certificate telling the computer who the server belongs to and if it’s the server you
need to be communicating with. Next the computer will tell the server that it is
ready for encryption and the server will respond saying its ready as well, then the
data will become encrypted and sent between the server and the user. This
encryption is much like Morse code if someone were to intercept this data, the data
would be garbage and meaningless.
Now what the Heartbleed bug does is it exploits this communication between
servers and computers. Part of the OpenSSL system is what’s called the heartbeat;
this allows you to keep a SSL session up and running even if no data is being
transferred. This is useful because if there was no data transferred, the session
would shut down and would be a hassle to restart. What the heartbeat does is it
sends out a request of data and the size of the payload, which is normally very small
such as 1 byte, and the responding computer will send back the payload and 1 byte
of data. What the Heartbleed does is it allows attackers to change the payload size,
say from 1 byte to 35,000 bytes, now if the attacker sent out this new heartbeat the
responding computer will send back the request of data as well as 35,000 bytes of
random stored information within the user’s memory of OpenSSL such as;
usernames, passwords, emails, and anything done within OpenSSL. This method is
compared to panning for gold or fishing, you send out a line and hope for the best, if
nothing bites reel it in change the bait or location then send out another line till you
catch a fish. Same thing with the Heartbleed sometimes the information the hacker
gets back is just junk mail from your email and other times they catch a fish and get
a credit card number or password. The biggest concern with this newly discovered
flaw is it’s almost untraceable, your computer thinks the heartbeat is safe and
normal and will respond to it, giving away vital information without you even
knowing it. This being virtually untraceable brings up the question just how long
has this bug been available to people and what damage have they done already?
Well no one knows for sure how long this bug has been available but one person
might have an idea, 19-year-old Stephen Arthuro Solis-Reyes from London, Ontario.
He is the first arrest made after the bug was exposed to the public for "unauthorized
use of a computer" and "mischief in relation to data”, in a Heartbleed-assisted
breach of the Canadian Revenue Agency. He managed to snag personal information
from 900 different Canadian residents. (Brandom, The first Heartbleed hacker has
been arrested, 2014)
No one knows exactly how much has been taken using this exposure. But this
Internet security breach isn’t the first of its kind; many have suffered from the
unreliable security of the Internet. Hackers exploited Sony, a power company in the
technology world, and information of millions was stolen. “This is viewed as the
worst gaming community data breach of all-time. Of more than 77 million accounts
affected, 12 million had unencrypted credit card numbers. According to Sony it still
has not found the source of the hack. Whoever they are gained access to full names,
passwords, e-mails, home addresses, purchase history, credit card numbers, and
PSN/Qriocity logins and passwords.” (Armerding, 2012) This kind of breach scares
Internet users because if a technology powerhouse is being hacked and exploited as
easily as they were, that leaves you to wonder who is safe? The answer is no one as
of right now, hackers are much like bacteria cells, as more and more security
updates and firewalls are made, hackers just adapt and find new ways around them,
as bacteria adapts to new age medicine. This adaptive nature is what makes it hard
to keep the Internet safe. Currently, after the public exposure of the Heartbleed, the
top players in technology are working on tightening up the OpenSSL system and are
trying to prevent a future Heartbleed from happening. “The new project is called the
Core Infrastructure Initiative, formed by the Linux Foundation and devoted to
plowing money into the critical software infrastructure that needs it. Executive
director Jim Zemlin says that after Heartbleed, it was clear something needed to
change.” (Brandom, 2014) “Those members include giants like Google, Microsoft,
and Facebook, along with hardware companies like Intel and Fujitsu, and cloud
services groups like Rackspace and Amazon Web Services. Each one is committed to
donating at least $100,000 a year for the next three years. With twelve companies
already on board, that means the company has already amassed $3.6 million in
funding to be doled out as the project progresses.” (Brandom, Google, Microsoft and
Facebook launch $3.6 million project to stop the next Heartbleed, 2014) With the
world becoming more and more technology dependent, it’s good to see big
companies stepping in the right direction of Internet security and putting money
towards benefiting the public and not just their profits. Even with these advances in
security, you still aren’t completely safe, but there are many things you can do while
surfing the Internet to keep your information as safe as possible.
There are many ways you “the user” can make your Internet experience a
safer one. Such as: changing your password every couple months or so, making your
passwords not words in the dictionary but jumbled letters and numbers, and having
a different password then the ones on your social networking sites. Social network
sites are gold mines for thieves because all of your information is in one place and
much of it personal. If someone were to gain access to this and your password for
your Facebook was the same as your bank account they could easily gain access to
this information from just hacking your Facebook. Updating firewalls and anti-virus
systems consistently can really help stop viruses and worms from slipping into your
system undetected. If you are trading sensitive information like credit card numbers
check to see if the site begins with HTTPS, this means the information being passed
from computer to computer is encrypted and can’t be read by foreign users. When
purchasing something on the Internet do not use a public computer, you don’t know
how secure that computer is and if you happened to leave a website up the next
person on could do what they want with the information left behind. All these
precautions can help lower your risk of becoming a victim to Internet crime.
(McAfee, 2014)
Works Cited
Armerding, T. (2012, February 12). Top 15 data security breaches. Retrieved May 5,
2014, from CSOonline.com: http://www.csoonline.com/article/2130877/dataprotection/the-15-worst-data-security-breaches-of-the-21st-century.html
Brandom, R. (2014, April 24). Google, Microsoft and Facebook launch $3.6 million
project to stop the next Heartbleed. Retrieved May 5, 2014, from The Verge:
http://www.theverge.com/2014/4/24/5646178/google-microsoft-and-facebooklaunch-project-to-stop-the/in/5371655
Brandom, R. (2014, April 16). The first Heartbleed hacker has been arrested.
Retrieved May 5, 2014, from The Verge:
http://www.theverge.com/2014/4/16/5621506/the-first-heartbleed-hacker-hasbeen-arrested
Codenomicon. (2014, April). Heartbleed Bug. Retrieved May 5, 2014, from
Heartbleed Bug: Heartbleed.com
McAfee. (2014, May). McAfee security help center. Retrieved May 5, 2014, from
McAfee an Intel Company:
http://home.mcafee.com/advicecenter/?id=ad_sos_wmap&ctst=1
Outlaws, F. (Director). (2014). OpenSSL Heartbeat (Heartbleed) Explained
[YouTube]. United States of America.
Download