Kegan Storjohann 5/5/14 ISC110 Heartbleed Bug The Heartbleed bug is one of the, if not, the largest security breach in the Internet’s history. It completely exposed the vulnerability of the OpenSSL system, which is meant to encrypt any sensitive information being passed from computer to server and vice versa. In order to fully understand the full scale dangers and the unique tactics of the Heartbleed bug you’ll have to understand how OpenSSL works between computers and servers. It was invented to secure the Internet and ensure the safety of your personal data being placed on the web. Most websites that trade personal information or have passwords and usernames are run through OpenSSL. The way OpenSSL works is almost like a conversation between the user/computer and the server. For example; if you were buying something off the Internet and the website needed your credit card information. Without SSL any computer could access your information being sent to that server and take it for their personal benefit. With SSL the computer first sends a “hello” to the server in which they agree on how to encrypt this data. Second the server sends back a certificate telling the computer who the server belongs to and if it’s the server you need to be communicating with. Next the computer will tell the server that it is ready for encryption and the server will respond saying its ready as well, then the data will become encrypted and sent between the server and the user. This encryption is much like Morse code if someone were to intercept this data, the data would be garbage and meaningless. Now what the Heartbleed bug does is it exploits this communication between servers and computers. Part of the OpenSSL system is what’s called the heartbeat; this allows you to keep a SSL session up and running even if no data is being transferred. This is useful because if there was no data transferred, the session would shut down and would be a hassle to restart. What the heartbeat does is it sends out a request of data and the size of the payload, which is normally very small such as 1 byte, and the responding computer will send back the payload and 1 byte of data. What the Heartbleed does is it allows attackers to change the payload size, say from 1 byte to 35,000 bytes, now if the attacker sent out this new heartbeat the responding computer will send back the request of data as well as 35,000 bytes of random stored information within the user’s memory of OpenSSL such as; usernames, passwords, emails, and anything done within OpenSSL. This method is compared to panning for gold or fishing, you send out a line and hope for the best, if nothing bites reel it in change the bait or location then send out another line till you catch a fish. Same thing with the Heartbleed sometimes the information the hacker gets back is just junk mail from your email and other times they catch a fish and get a credit card number or password. The biggest concern with this newly discovered flaw is it’s almost untraceable, your computer thinks the heartbeat is safe and normal and will respond to it, giving away vital information without you even knowing it. This being virtually untraceable brings up the question just how long has this bug been available to people and what damage have they done already? Well no one knows for sure how long this bug has been available but one person might have an idea, 19-year-old Stephen Arthuro Solis-Reyes from London, Ontario. He is the first arrest made after the bug was exposed to the public for "unauthorized use of a computer" and "mischief in relation to data”, in a Heartbleed-assisted breach of the Canadian Revenue Agency. He managed to snag personal information from 900 different Canadian residents. (Brandom, The first Heartbleed hacker has been arrested, 2014) No one knows exactly how much has been taken using this exposure. But this Internet security breach isn’t the first of its kind; many have suffered from the unreliable security of the Internet. Hackers exploited Sony, a power company in the technology world, and information of millions was stolen. “This is viewed as the worst gaming community data breach of all-time. Of more than 77 million accounts affected, 12 million had unencrypted credit card numbers. According to Sony it still has not found the source of the hack. Whoever they are gained access to full names, passwords, e-mails, home addresses, purchase history, credit card numbers, and PSN/Qriocity logins and passwords.” (Armerding, 2012) This kind of breach scares Internet users because if a technology powerhouse is being hacked and exploited as easily as they were, that leaves you to wonder who is safe? The answer is no one as of right now, hackers are much like bacteria cells, as more and more security updates and firewalls are made, hackers just adapt and find new ways around them, as bacteria adapts to new age medicine. This adaptive nature is what makes it hard to keep the Internet safe. Currently, after the public exposure of the Heartbleed, the top players in technology are working on tightening up the OpenSSL system and are trying to prevent a future Heartbleed from happening. “The new project is called the Core Infrastructure Initiative, formed by the Linux Foundation and devoted to plowing money into the critical software infrastructure that needs it. Executive director Jim Zemlin says that after Heartbleed, it was clear something needed to change.” (Brandom, 2014) “Those members include giants like Google, Microsoft, and Facebook, along with hardware companies like Intel and Fujitsu, and cloud services groups like Rackspace and Amazon Web Services. Each one is committed to donating at least $100,000 a year for the next three years. With twelve companies already on board, that means the company has already amassed $3.6 million in funding to be doled out as the project progresses.” (Brandom, Google, Microsoft and Facebook launch $3.6 million project to stop the next Heartbleed, 2014) With the world becoming more and more technology dependent, it’s good to see big companies stepping in the right direction of Internet security and putting money towards benefiting the public and not just their profits. Even with these advances in security, you still aren’t completely safe, but there are many things you can do while surfing the Internet to keep your information as safe as possible. There are many ways you “the user” can make your Internet experience a safer one. Such as: changing your password every couple months or so, making your passwords not words in the dictionary but jumbled letters and numbers, and having a different password then the ones on your social networking sites. Social network sites are gold mines for thieves because all of your information is in one place and much of it personal. If someone were to gain access to this and your password for your Facebook was the same as your bank account they could easily gain access to this information from just hacking your Facebook. Updating firewalls and anti-virus systems consistently can really help stop viruses and worms from slipping into your system undetected. If you are trading sensitive information like credit card numbers check to see if the site begins with HTTPS, this means the information being passed from computer to computer is encrypted and can’t be read by foreign users. When purchasing something on the Internet do not use a public computer, you don’t know how secure that computer is and if you happened to leave a website up the next person on could do what they want with the information left behind. All these precautions can help lower your risk of becoming a victim to Internet crime. (McAfee, 2014) Works Cited Armerding, T. (2012, February 12). Top 15 data security breaches. Retrieved May 5, 2014, from CSOonline.com: http://www.csoonline.com/article/2130877/dataprotection/the-15-worst-data-security-breaches-of-the-21st-century.html Brandom, R. (2014, April 24). Google, Microsoft and Facebook launch $3.6 million project to stop the next Heartbleed. Retrieved May 5, 2014, from The Verge: http://www.theverge.com/2014/4/24/5646178/google-microsoft-and-facebooklaunch-project-to-stop-the/in/5371655 Brandom, R. (2014, April 16). The first Heartbleed hacker has been arrested. Retrieved May 5, 2014, from The Verge: http://www.theverge.com/2014/4/16/5621506/the-first-heartbleed-hacker-hasbeen-arrested Codenomicon. (2014, April). Heartbleed Bug. Retrieved May 5, 2014, from Heartbleed Bug: Heartbleed.com McAfee. (2014, May). McAfee security help center. Retrieved May 5, 2014, from McAfee an Intel Company: http://home.mcafee.com/advicecenter/?id=ad_sos_wmap&ctst=1 Outlaws, F. (Director). (2014). OpenSSL Heartbeat (Heartbleed) Explained [YouTube]. United States of America.