Heartbleed cracks vital encryptions
Experts show how easily they can extract private keys to websites Copy Cups
THE crown jewel of secure websites is a single string of data — a very long jumble of letters and numbers and symbols that looks like gibberish.
The Heartbleed bug allows hackers to crack it.
Security professionals have demonstrated that the recently disclosed Heartbleed bug can be exploited to allow criminals and intelligence agencies to make off with one of the most sought-after prizes in hacking: the private keys that websites rely on to decrypt sensitive information, including passwords, banking details and health data.
At least six people were able to extract the private key of a website in a test of the bug’s viability organised by CloudFlare, said Nick Sullivan, a security architect with the internet security company.
The results suggested hackers had stolen encryption keys using the bug and were planning attacks, he said.
The company set up the competition after stating in an April 11 blog post (reported by the New York Times) that stealing keys appeared to be very hard or impossible using Heartbleed, one of the biggest holes in the history of the internet.
“It turns out we were wrong,” said CloudFlare.
Sullivan said the company was planning to replace the keys it manages for clients to be safe and that the contest “made us more confident that the cost was worthwhile”.
The evidence that a widely used form of encryption called OpenSSL can be undermined, giving attackers potential access to websites’ future and past communications, validated fears about Heartbleed’s danger and added urgency to efforts to fix computer systems containing it.
Since its discovery, there has been much discussion about how the flaw could have gone undetected for so long and whether criminal hackers or government intelligence units might have exploited it.
Bloomberg reported that the US’s National Security Agency knew about the bug for two years and made it part of its hacking tool kit. The agency denied that it knew of the internet hole before an April 7 report by private security researchers.
Millions of smartphones and tablets running Google’s Android software are vulnerable to the bug, as are networking products from Cisco Systems and Juniper Networks.
Dozens of entities were conducting internet-wide attack attempts seeking to exploit Heartbleed, including computers in China that had been associated with hacking, said J Alex Halderman, assistant professor of electrical engineering and computer science at the University of Michigan, who has been tracking the attacks.
Sites had no way of knowing whether their encryption codes had been stolen and criminals would soon find ways to automate techniques for taking them, said Jeremiah Grossman, a web application specialist.
Heartbleed, the result of a simple programming error, is the kind of security hole that is discovered every
Any previous communication encrypted with the same key would be at risk
few years — widespread and serious enough that it sends technology companies around the world scrambling to protect their networks.
Writing the code to exploit it takes creativity and patience. Good exploit code is something of an art form and hackers have signature techniques. Finding a bug and figuring out that it is exploitable are just the first steps.
Intelligence agencies and criminal syndicates take what they know and create hacking packages that can be used off the shelf to compromise networks. A single bug can spawn multiple types of attack bundles.
The goal is to maximise the ability to penetrate a target while minimis- Investigators inspect unauthorised replicas of the Fifa World Cup trophy in a customs area in Yiwu, in east China’s Zhejiang province. Customs staff confiscated a total of 1 020 replicas in the raid ing the likelihood of discovery.
The Heartbleed bug could have many consequences, but the ability to steal private encryption keys is the most severe.
In encryption, private keys are like house keys. Only you have them and they are closely guarded. Public keys, on the other hand, are what everyone on the internet sees when they want to communicate securely with a website. The two are paired.
Stealing the private key gives intruders unfettered access to their targets, allowing them to capture data flowing between websites’ servers and users’ computers.
So far, efforts to fix vulnerable systems appear to be working. Most of the websites that had the bug have applied a patch that protects them. About 12% have not, according to a site called istheinternetfixedyet.com, which is tracking the progress.
An urgent concern is that they all revoke the secure sockets layer, or SSL, digital certificates that handle their data encryption and contain keys that might have already been stolen by hackers.
The researchers who discovered Heartbleed said the bug could exist inside hundreds of millions of websites, based on the market share of the open-source software that uses OpenSSL. The number is closer to 500 000, because only a fraction of sites had the vulnerable functionality turned on, according to Netcraft, a cyber-security firm.
Of the vulnerable sites, just 30 000 had taken the step of revoking their encryption certificates, leaving the rest exposed, said Netcraft.
An attack would look like what Ben Murphy, 30, a software developer in London, did recently.
In a few hours, he took a publicly available program designed to exploit Heartbleed flaws, modified it and trained it on CloudFlare’s contest server using two machines from Amazon.com’s cloud-computing service. Out popped the private key.
The attack required a basic understanding of encryption, information that could probably be obtained from an introductory course on the subject, said Murphy.
CloudFlare’s test site got 44 million hacking attempts from 2 921 unique internet protocol addresses.
Attackers could go after more than just encryption keys. Yahoo! found some of its data spilt on the internet after the Heartbleed discovery.
Mark Loman, chief executive officer of software maker SurfRight in the Netherlands, said the bug was trivial to exploit and easily made Yahoo’s servers cough up confidential data.— Bloomberg