Security

Dealing with the HeartBleed bug

News Security

It has been a very hectic couple days since I woke up Tuesday morning to the news about the so-called HeartBleed bug. I spent a good bit of time Tuesday exploring the available information and then creating a program that would do much of the work required to actually fix the problem, and then testing my program. I spent a good deal of Wednesday fixing the problem on the computers for which I have some responsibility.

I have taken a bit of a breather after all that and here is my assessment.

HeartBleed is the most serious bug ever

HeartBleed is a bug that is both dangerous and insidious. If you have a computer that is on the Internet, you must assume that your data has been stolen. Even worse, you have no way to know who has been stealing your data or for how long; this bug opens up your data in such a way that no trace of the crime is left behind.

There is even a web site dedicated to HeartBleed, that provides the gory details about this bug and its effects that is strictly factual and contains none of the hype required by alleged news organizations that are primarily entertainment and not information – infotainment.  Unfortunately, in this case, most of the hype seems to be deserved.

What it does

The HeartBleed bug does nothing by itself. It simply provides an open door to crackers (black hat hackers) who use that door to steal personal data. HeartBleed affects the OpenSSL library of security programs that are used by most computer systems. The bug allows access to the memory of the affected server.

When your computer connects to a web site that uses encryption, such as your bank, the OpenSSL code is used for communicating between your computer and the bank’s computer. When there is no activity for a period of time, OpenSSL produces a heartbeat, a simple transmission of a packet of data that says “I am still here” to the server that prevents the server from closing the connection before you are finished with your business and the server responds with a simple acknowledgement of that “ping.”

The crackers can use this by faking a heartbeat signal from your computer. The acknowledgement is sent back to the cracker’s computer and the cracker can then request data from the memory of the server. The memory leaked to the cracker can contain any or all of your personal data stored on that site.

The affected computers are the servers that run most of the websites in the world and that contain your medical, personal and financial data including your social security numbers, banking information and everything else you don’t want the bad guys to have access to.

The worst part is that you do not have to do anything to have your data stolen except to visit a web site you already trust like your bank.

Recovery

Almost every version of the OpenSSL library has been fixed. And most of the large organizations that have servers, such as banks and other financial institutions, eCommerce websites like, hopefully, Amazon, Google and so on, have already patched their web sites.

The first thing you should do is install the latest updates to your own computer(s) regardless of which operating system you use. If your operating system is too old for new updates, such as Windows 95 or XP, or Fedora Linux 18 or earlier, upgrade your operating system and install all of the current updates. If you need to upgrade your computer in order to upgrade your operating system, then do so.

Second, change all of the passwords you use on web sites. ALL OF THEM!  All of your passwords have been compromised. If you continue to use them your data will be stolen.

The real problem is in knowing whether the web sites you use and which have some of your sensitive data have been fixed. By this morning, Thursday, April 10, many have some sort of notice on their login page. In most cases the ones I see seem to say that they never had a problem.  But you cannot count on that. Many are ignoring it entirely. Just do the best you can. Change all of your passwords anyway. If you learn later that the web site did not fix the vulnerability until after you had changed your password, change it again.

A few password guidelines:

  • Never use the same password on multiple web sites. Thus if one site is compromised, you won’t have to change all of your passwords.
  • Use long passwords that are at least 8 characters in length. This makes it much more difficult to guess or crack your password.
  • Passwords should contain a combination of lower and upper case letters, numbers, and special characters. This makes it much more difficult to guess or crack your password.
  • Never use the same password twice. An old password that was hacked, if used over, can still be used to attack your account.
  • Do not use birth dates, Social Security Numbers, pet, friend or spouse names, or dictionary words for your passwords. This will make it much more difficult to social engineer your passwords.
  • Change your passwords frequently. At least every 90 days, but once a month is even better. This will limit the time of your vulnerability if a site is compromised.
  • Never write down your passwords. Ever.

Good security is hard work

Yes, good security is hard work. That is why companies hire a lot of expensive people to handle it for them. For end users, it also takes time and some creativity to come up with reasonable passwords that are safe but which can also be remembered. It will be frustrating.

Bad security is an even bigger hassle. It can cost you your identity, lots of money and a great deal of time and frustration – far more than good security will cost.

FAQs about the HeartBleed vulnerability

Information Security

I received this on the CentOS list. You might find it helpful.


Since this is the first post about the openssl update, I want to answer
a couple questions here:

1. The first susceptible version of openssl in a CentOS release was
openssl-1.0.1e-15.el6, released on December 1, 2013.

2. The version of openssl that you should install to fix the issue is
openssl-1.0.1e-16.el6_5.7, released on April 8, 2014.

3. Versions of CentOS-6.5 openssl that were affected are:
openssl-1.0.1e-15.el6, openssl-1.0.1e-16.el6_5,
openssl-1.0.1e-16.el6_5.1, openssl-1.0.1e-16.el6_5.4.

4. Only CentOS-6.5 was affected. CentOS-6 at versions 6.4 or earlier
was not affected. No versions of CentOS-5 (or any other CentOS) were
affected.

Besides doing updates, things you should do include:

1. Besides doing the updates, you should replace any certificates using
SSL or TLS that are openssl based. This includes VPN, HTTPD, etc. See
http://heartbleed.com/ for more info on impacted keys.

2. See this page for figuring out which services you should restart
after applying updates .. or just reboot the machine which will restart
all services:

https://access.redhat.com/site/solutions/781793

Linux Security Bug – Update

News Security

The security bug is identified as CVE-2014-0092 now has fixes available for the following distributions of which I am certain.

  • CentOS
  • Debian
  • Fedora
  • Red Hat

Check your own distribution to verify the availability of the fix. Note that not all releases of these distros have a fix available yet. If your release does not have a fix for this bug you should seriously consider upgrading to a release that does.

Serious security bug found in Linux

News Open Source Software Security

A very serious bug has been found in the Open Source GnuTLS package. Many programs and the Linux operating system itself use this package to deal with the encryption of data streams. The bug was discovered during a routine code audit by Red Hat, and appears to be a simple error by a programmer. This is as opposed to the flaw intentionally inserted into the cryptography algorithm by the NSA to enable them to eavesdrop on encrypted communications. The NSA flaw does not affect Linux.

The fix is available and I have explicitly confirmed that it has been included in an update for GnuTLS on CentOS that was made available this morning. I have installed it on my server and firewall here which all use CentOS and ensured that nothing else obvious is broken. I have no idea whether this update requires a reboot, but I will reboot all of the affected CentOS systems after the updates have been installed.

This fix is not yet available for Fedora. Check the updates for your own distribution to verify whether this fix has been included or not.

Part of the news here is that serious security bugs in Linux, as this one is, are few and far between so it gets heavy media coverage. The other part of the news, and the part that will get little or no coverage, is that it is only because the code is Open Source that Red Hat could perform an audit and discover the problem. The open source aspect of this code is also the reason that the fix is available so quickly after the problem is discovered, and the ease with which I can confirm that it is included in the new version of the GnuTLS package by looking at the changelog.

The link below goes into more detail, if you are interested.

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/#p3