In the spring of 2014, the internet was rocked by what security researchers are calling a "catastrophically bad" bug. Known by the dramatic name Heartbleed, the bug left the widely-used, open source OpenSSL protocol vulnerable to attacks that could put servers' private encryption keys into the hands of hackers. Major sites like Yahoo, Imgur, Flickr, LastPass, and countless others were left vulnerable, and, worst of all, the bug's been in the code for years. In the immediate aftermath, admins are scrambling to protect their sites while more details on the bug come out, and the whole affair raises questions about the fragile state of security on the web. We'll be tracking all that news and more right here.
May 29, 2014
Seven weeks after the bug put the web on high alert, Heartbleed is still causing problems. A new report from Portuguese security researcher Luis Grangeia describes how the same bug could be used over Wi-Fi to enable new kinds of attacks that build on the same vulnerability.Read Article >
May 8, 2014
One month after the critical Heartbleed vulnerability was first revealed, there are still more than 300,000 servers vulnerable to the bug, according to security researcher Robert David Graham. Graham arrived at the number through a global internet scan, which found a full 1.5 million servers that still support the "heartbeat" feature of OpenSSL that allowed the bug, and exactly 318,239 systems that are still vulnerable. The number counts only confirmed cases and there may well be other systems that escaped Graham's accounting, either because of spam blocking or unorthodox OpenSSL setups.Read Article >
Apr 27, 2014Read Article >
OpenSSL is a key security backbone for untold thousands of websites to make sure strangers can't see what you're doing. But as the Heartbleed bug has revealed, this essential tool is in dire need of support; the hodgepodge team in charge of upkeep for the open source protocol is severely understaffed and underpaid. Buzzfeed has published a wonderful feature story on the two men who have been primarily responsible for OpenSSL for more than a decade, and it provides a look into just how a simple flaw like Heartbleed could have made it into the code. Thankfully, if one good thing has come out of this massive security breach, it's that OpenSSL may get some of the attention that it needs — there are already efforts to secure more funding for the project, and BuzzFeed reports that the team plans on bringing in a second full-time developer soon.
Apr 24, 2014
The sudden chaos of the Heartbleed bug drove home just how much of the web relies on OpenSSL software, and just how little was being spent to maintain it. But in the aftermath, some of the biggest players in tech are coming together to change that, and hopefully spot the next Heartbleed before it can wreak quite as much havoc.Read Article >
Apr 19, 2014
The officials are requesting that Healthcare.gov users reset their passwords after a continuing internal review by the Department of Homeland security flagged the site as possibly being vulnerable to a Heartbleed exploit. The move to reset passwords is being taken "out of an abundance of caution," according to a a notice published on the site, which serves as a portal for the health insurance exchanges set up under Obamacare. In addition, the note says that "there’s no indication" that any information was revealed through Heartbleed.Read Article >
Critics of the Affordable Care Act may seize the opportunity to attack the much-maligned Healthcare.gov website, which was plagued by bugs during its launch last year. Those site issues have since been fixed, and the Obama administration recently announced that 8 million Americans have signed up for health insurance through the exchanges. Healthcare.gov is only one of many US government sites that use OpenSSL, the encryption protocol that lay vulnerable to attacks for the past two years via a bug known as Heartbleed. The Department of Homeland security is still leading a review of government sites, and the Associated Press reports that others, like the White House's petition website, may have mandatory password resets as well. Untold thousands of non-government sites have been affected by the bug, and many high-profile sites have similarly requested that their users change their passwords.
Apr 16, 2014
Canadian officials say they've tracked down the man responsible for the last week's Heartbleed-assisted breach at the Canadian Revenue Agency, which compromised the personal data of more than 900 citizens. According to The Calgary Herald, 19-year-old Stephen Arthuro Solis-Reyes from London, Ontario has been officially charged with the attack after five days of investigation. The official charges are "unauthorized use of a computer" and "mischief in relation to data."Read Article >
Apr 14, 2014
Canada's taxpayers may be the first victims of the Heartbleed bug that put the web on high alert last week. According to the Canada Revenue Agency, 900 social insurance numbers (SINs) were stolen by hackers exploiting the security vulnerability. Even on a small scale, the breach is tantamount to identity theft, and is a situation the CRA had worked hard to avoid.Read Article >
Apr 12, 2014
This morning, content distribution network Cloudflare gave some hope to those affected by the Heartbleed security flaw with an announcement that the bug might not be as bad as feared. In two weeks of testing, Cloudflare said, its researchers failed to exploit the bug to steal a website's private SSL keys, which secures the data sent to users. It issued a challenge to white-hat hackers to successfully retrieve the private security keys — and unfortunately for the web, one of them succeeded.Read Article >
The hacker, Node.js team member Fedor Indutny, claimed on Twitter that he'd tracked down the SSL keys.
Apr 11, 2014
At the presentation ceremony for Long Island University's prestigious George Polk Awards in journalism, reporters were recognized for some of the biggest stories of the past year: the NFL’s indifference to concussions, the deliberate attempts by New Jersey governor Chris Christie’s office to create traffic jams, former Virginia governor Robert McConnell’s acceptance of illegal gifts. But one of the most dramatic moments was a series of text messages signaling the arrival of two journalists who helped reveal the large and hidden web of NSA surveillance: documentarian Laura Poitras and reporter Glenn Greenwald.Read Article >
The presentation of the Polk Award for national security reporting, which Poitras and Greenwald accepted alongside The Guardian’s Ewen MacAskill and The Washington Post’s Barton Gellman, marked the pair’s first visit to the United States since the initial leaks from Edward Snowden were published nearly a year ago. Immediately after the leaks, Rep. Peter King (R-NY) called for Greenwald’s arrest and prosecution, and Director of National Intelligence James Clapper obliquely referred to journalists who helped Snowden as "accomplices" during a Senate hearing in January. But the mood has calmed, and Greenwald now views the practical risk of returning as low, he told reporters in a press conference after the awards luncheon. Despite this, he says officials "deliberately created an environment where they wanted us to think there was a risk," refusing to tell Greenwald’s lawyers whether he might be indicted.
Bloomberg is reporting that the Heartbleed bug, which shocked the web security community this week, has been known and actively exploited by the National Security Agency for at least two years. According to two anonymous sources familiar with the matter, the bug was kept secret in the interest of national security, while the agency used it to obtain passwords and other data. Since the bug was first committed in 2012, the report suggests the NSA discovered the bug and maintained access for nearly the entire lifespan of Heartbleed.Read Article >
After this week's massive Heartbleed bug, one of the biggest concerns was that the bug might leak a website's private SSL keys, the key to the green lock that secures data sent to users. It's especially dangerous because, if an attacker did access the keys, they could be used even after the server was patched, allowing attacks months or even years in the future.Read Article >
But today, the content distribution network CloudFlare has announced Heartbleed may not allow access to those private keys after all. In two weeks of testing, the company has been unable to successfully access private keys with Heartbleed, suggesting the attack may not be possible at all. "If it is possible, it is at a minimum very hard," researcher Nick Sullivan writes. "And we have reason to believe... that it may in fact be impossible." If true, it makes Heartbleed much less dangerous than many had feared, offering a saving grace for compromised sites. Sullivan acknowledged that, in security tests, some private keys had been revealed by first requests to Apache servers, but he linked this to the process of restarting the server, which would severely limit the exposure to outside actors. Methods have also surfaced to help services tell if attackers have hit their servers using the bug. "Heartbleed still is extremely dangerous," says CEO Matthew Prince, "but some of the worst fears about it having been used by organizations like the NSA to hoover up everyone's private SSL keys look pretty unlikely to us based on this testing."
Apr 10, 2014
When word of the Heartbleed bug first came out, news spread like a fire alarm — but it didn’t spread evenly. The vulnerability was spread across as many as two out of every three servers, which made a standard disclosure impossible. Some companies like Facebook got the news early, either from Google or OpenSSL itself, and were already patched when Monday’s news broke. Others, like Amazon and Yahoo, were left scrambling to protect themselves. But why did some companies have advanced warning while others got left in the cold? How did Facebook find out while Yahoo was left out of the loop?Read Article >
From a certain angle, it seems like picking favorites — so much so that the FTC issued a statement this morning "making it clear that antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information." But there’s a complicated etiquette for sharing this information within the industry, generally known as "responsible disclosure." The idea is to share bugs with service providers before the exploits become public knowledge, which means separating out the good guys from the bad guys. In a perfect world, you'd let all the good guys know before a single bad guy had a chance to attack. But like any secret, every new insider increased the risk that the news would leak. The worst case scenario was Heartbleed leaking out to a black-hat forum, where the news would spread to attackers first. At a certain point, researchers inevitably decide the risk of a leak is too great and they have no choice but to publish the leak in advance.
Apr 10, 2014
The "Heartbleed" flaw that has turned internet security upside down was added to the open-source OpenSSL protocol on New Year's Eve 2011, experts now believe. It was entered by one man — German software developer Robin Seggelmann — and a subsequent review failed to pick up on the catastrophic coding error Seggelmann had made. "In one of the new features, unfortunately, I missed validating a variable containing a length," he told the Sydney Morning Herald. By now you're likely well familiar with the damage that's resulted from what he described as a "trivial" error.Read Article >
Some have accused Seggelmann of intentionally adding the major security hole to OpenSSL, charges that he vigorously denies. After all, the reason he was working on OpenSSL that night was to contribute bug fixes and improvements to the project. "It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he said. But Seggelmann acknowledges that the mistake has led to "severe" consequences.
Apr 8, 2014
Monday afternoon, the IT world got a very nasty wakeup call, an emergency security advisory from the OpenSSL project warning about an open bug called "Heartbleed." The bug could be used to pull a chunk of working memory from any server running their current software. There was an emergency patch, but until it was installed, tens of millions of servers were exposed. Anyone running a server was suddenly in crisis mode.Read Article >