The Heartbleed Aftermath
by: Doug Zbikowski
It’s been over a month since the Heartbleed bug brought Internet security to the forefront of the news, and according to Errata Security’s Robert Graham, more than 300,000 servers across the globe are still vulnerable. This is a big drop from the 600,000 initially detected when the vulnerability first became public, but it’s still a large number.
After its discovery earlier this year, Heartbleed is still a serious threat because it can potentially release usernames, credit card information, passwords, and other personal data to attackers. It was determined a flaw in OpenSSL, a common tool used to encrypt and secure communication between a user to a server, is the source of this security breach.
Graham’s numbers are concerning, and they might just be the tip of the iceberg.
His testing was done by scanning port 443 (a port is a “channel” used in Internet communication that is reserved for a specific function. Port 443 is typically used for SSL traffic). There may be thousands…even millions…more servers out there using undetected alternate ports that are still unpatched.
What Exactly IS Heartbleed?
The easiest way to describe how Heartbleed works is to imagine a computer and a server talking to each other. They don’t want anyone else listening in, so they speak to each other in a unique language only they can understand. Any other computers trying to join in the conversation would just hear gibberish.
Once in a while, there may be a lull in the conversation, so the computer will want to make sure the server is still listening. The computer will send a “heartbeat”, or a nudge saying “Hey! Prove you’re still there!”
Your computer might say “Prove you’re there: respond with “Pineapple (spelled with 9 characters)”.
The server replies “Pineapple”.
“Prove you’re there: respond with “Car (spelled with 3 characters)”.
The server replies “Car”.
Some clever person discovered that if you form a heartbeat request to say something equivalent to “Prove you’re there: respond with “Phone (spelled with 1000 characters)”, the server would respond with “Phone” and then the next 995 characters of data in the server’s memory. This data would include data from anyone else’s SSL transactions, so payment information, personal data…everything that was supposed to be secure could be exposed. (Of course, this is a very simplistic explanation, but it gets the point across.)
It’s clear that a lot of servers on the Internet have not been patched to fix the Heartbleed bug, and that’s not likely to change anytime soon. Ars Technica, another well known security firm, found that a month after Heartbleed was announced vulnerable servers decreased only .44%. This indicates that server patching has essentially stopped.
If you’re wondering what you can do to protect yourself, you’re in the same boat as everyone else. Nobody knows exactly which services and servers still have the flaw. Many companies have done their best to let their users know if they were or were not affected, but there is no comprehensive list saying “We fixed the problem, so change your password.” You can bet that financial institutions, ISP’s, and large companies patched their OpenSSL servers quickly, so most of the remaining servers are probably going to be run by small businesses that either do not know they have the bug or do not have the expertise to repair it. You best bet is to check with any services that require a username/password to log into an account to see if they were affected.
On a positive note, Heartbleed has made security a top priority again. Many companies are reviewing their security practices, making sure they have the basics like antivirus software and are getting their software updates in a timely fashion. You’ll probably want to join in with them.