K
  • IT - AhmedBanafa

    By Ahmed Banafa, Faculty 

    School of Business and Information Technology, July 2014 

    What Is Heartbleed Bug? 

    Heartbleed bug, known as one of the Internet's biggest security threats, has been around for over 2 years but it was only recently discovered. While many companies have released patches, your information is still vulnerable. But what is Heartbleed bug? The simple answer: Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. While the main purpose of encryption used by websites is to provide communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs), Heartbleed bug allows theft of the encrypted information. According to the OpenSSL website (OpenSSL, n.d.):

    "The OpenSSL project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers [emphasis added] that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation."

    The bug is in the OpenSSL's implementation of the TLS protocols which is called heartbeat extension. When it is exploited it leads to the leak (bleeding) of memory contents from the server to the client and from the client to the server; hence we call it the Heartbleed bug.

    To understand the dynamics of bug let's go back to the basics; in OpenSSL software library, a "heartbeat" is "a check to see if the other party (computer) is still present or if they've dropped off," security expert Troy Hunt wrote. "In the context of SSL, the initial negotiation between the client and the server has a communication overhead that the heartbeat helps avoid repeating by establishing if the peer is still 'alive,'" he wrote. "Without the heartbeat, the only way to do this is by renegotiation, which in relative terms is costly."

    The Heartbleed flaw lets attackers control the heartbeat size and structure to be larger than expected and receive responses from the server that contain information that should have been kept secure.

    Heartbleed has caused quite a bit of trouble. The problem exposed large parts of the Internet that were supposed to be protected against anyone knowing where to look. The protocol is used by some two-thirds of the world's websites, which means that there are a lot of unsafe sites out there that you need to be careful with, especially when inputting personal data, including passwords and bank account information.

    Many popular social networking websites, search engines, banks, and online shopping sites use OpenSSL encryption to keep personal and financial data safe. The Heartbleed bug allowed those who knew of its existence to intercept usernames, passwords, credit card details, and various other sensitive information from a website's server in plain text.

    Not only was information exposed, but a server's private encryption keys were also up for grabs. These could then be used by criminals to decrypt data sent between a user of the website and the server.

    This is the most severe security issue to hit the Internet in a very long while.

    The Programmer 

    According to many newspapers and news agencies, Dr. Robin Seggelmann, a German software developer, is the one who unknowingly allowed this to happen, making what's been dubbed a rookie mistake.

    An article from The Sydney Morning Herald (Grubb, 2014) notes:  

    Dr. Seggelmann, of Münster in Germany, said the bug which introduced the flaw was "unfortunately" missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

    "I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he said.

    "In one of the new features, unfortunately, I missed validating a variable containing a length."

    After he submitted the code, a reviewer "apparently also didn't notice the missing validation." Dr. Seggelmann said, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr. Stephen Henson.

    Dr. Seggelmann said the error he introduced was "quite trivial," but acknowledged that its impact was "severe."

    The article goes on to describe Dr. Seggelmann's response to those who suggest he acted deliberately:

     ". . . in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he said.

    "It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."

    The Blame 

    You could blame Dr. Seggelmann, but he did this work for free, and for the open source community. You might assign blame to the whole OpenSSL organization, and the whole open source community. You can blame all the tech giants for missing this bug for so long, but it's too late and blaming anyone will not help.

    Increasing Awareness 

    If anything had been demonstrated by the discovery of the bug, Dr. Seggelmann said it was awareness that more contributors were needed to keep an eye on code in open source software (Grubb, 2014).

    "It's unfortunate that it's used by millions of people, but only very few actually contribute to it," he said. "The benefit of open source software is that anyone can review the code in the first place. The more people look at it, the better, especially with crucial software like OpenSSL" (As cited in Grubb, 2014).

    The exact line of code is:

    memcpy(bp, pl, payload);

    This line copies data pl with length payload to memory address bp. Simple, unless the length of pl is less than payload (a buffer over-read bug). This, at its core, is heartbleed.

    The fix (openssl/openssl) is simple as well:

    if (1 + 2 + 16 > s->s3->rrec.length) return 0;
    hbtype = *p++;
    n2s(p, payload);
    if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0;
    pl = p;

    This just confirms that pl is not zero and that the payload is correct.

    This is a validation error. Many static analysis tools should be able to detect this lack of validation, which shows how simple the bug is and how a small piece of code can fix it. Many companies have already patched it.

    How to Deal With It? 

    According to Internet security firm McAfee (part of Intel Security), you can take the following steps to protect your site:

    • Use a Heartbleed checker tool, such as http://tif.mcafee.com/heartbleedtest where you can enter any website URL and check if it is vulnerable.
    • Once you determine whether the site is safe, you can then change your password for that site. Keep in mind that changing your password before a site is patched won't protect you and your information.
    • If the site is vulnerable, it is recommended that you monitor the activity on that account frequently and look for unauthorized activity. 

    Once a site has been patched so it's no longer vulnerable to the Heartbleed bug, you should change your password. Here are some tips to keep in mind:

    • Use strong passwords that include a combination of numbers, letters, and symbols and are also longer than 8 characters in length
    • Use two-factor authentication  for increased security. You get a one-time code every time someone tries to log into the account, such as those for banks, social networks, and email.

    Stay safe!

     

    References 

    Grubb, B. (2014, April 11). Man who introduced serious 'Heatbleed' security flaw denies he inserted it deliberately. The Sydney Morning Herald. Retrieved July 2014 from http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html

    Open SSL. (n.d.). Retrieved from https://www.openssl.org/

    Siciliano, R. (2014, April 12). Heartbleed: Free tool to check if that site is safe. Retrieved July 2014 from http://www.huffingtonpost.com/robert-siciliano/heartbleed-free-tool-to-c_b_5137993.html

    Vatu, G. (2014, April 10). Heartbleed "author" denies malicious intentions, says bug was a programming error. Retrieved July 2014 from http://news.softpedia.com/news/Heartbleed-quot-Author-quot-Denies-Malicious-Intentions-Says-Bug-Was-a-Programming-Error-436976.shtml 

    The views expressed in this article are solely those of the author(s) and do not represent the views of Kaplan University.

    _____________________________________________________________________________________________

    We encourage you to share this article if you learned anything (#TIL) or found this useful information. 

    If you are interested in other technology career insights, we invite you to take a look at Kaplan University's Business Articles and Publication page and our Career Moves site, each of which periodically publish new articles and other content on this subject. 

    And if you are considering IT degree we invite you to find out more about our School of Business and Information Technology and explore Kaplan University's undergraduate and graduate degree offerings.

    Back to Articles and Publications

Request Information



  • Step 1 of 2

Information Technology

Featured

  • US News Promo
  • Paying For School
  • Kaplan Commitment