Offering the flexibility of online education and support for military students.
Every day, talented individuals are proving it's never too late to think about the future.
Learn more about becoming an international student at US-based and accredited Kaplan University.
Learn about transferring your previously earned college credits to Kaplan University.
We have partnered with many employers and educational institutions to provide their employees and students with education opportunities.
Corporate and Academic Partners
Kaplan University is dedicated to the support, engagement, and involvement of our graduates.
Resources for current Kaplan University students.
We have 15 ground locations across the country. Explore our locations to see if we're in your neighborhood.
Learning Center Experience
By Ahmed Banafa, Faculty
of Business and Information Technology, July 2014
Heartbleed bug, known as one of the Internet's biggest security threats, has been around for over 2 years but it was only recently discovered. While many companies have released patches, your information is still vulnerable. But what is Heartbleed bug? The simple answer: Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. While the main purpose of encryption used by websites is to provide communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs), Heartbleed bug allows theft of the encrypted information. According to the OpenSSL website (OpenSSL, n.d.):
"The OpenSSL project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers [emphasis added] that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation."
The bug is in the OpenSSL's implementation of the TLS protocols which is called heartbeat extension. When it is exploited it leads to the leak (bleeding) of memory contents from the server to the client and from the client to the server; hence we call it the Heartbleed bug.
To understand the dynamics of bug let's go back to the basics; in OpenSSL software library, a "heartbeat" is "a check to see if the other party (computer) is still present or if they've dropped off," security expert Troy Hunt wrote. "In the context of SSL, the initial negotiation between the client and the server has a communication overhead that the heartbeat helps avoid repeating by establishing if the peer is still 'alive,'" he wrote. "Without the heartbeat, the only way to do this is by renegotiation, which in relative terms is costly."
The Heartbleed flaw lets attackers control the heartbeat size and structure to be larger than expected and receive responses from the server that contain information that should have been kept secure.
Heartbleed has caused quite a bit of trouble. The problem exposed large parts of the Internet that were supposed to be protected against anyone knowing where to look. The protocol is used by some two-thirds of the world's websites, which means that there are a lot of unsafe sites out there that you need to be careful with, especially when inputting personal data, including passwords and bank account information.
Many popular social networking websites, search engines, banks, and online shopping sites use OpenSSL encryption to keep personal and financial data safe. The Heartbleed bug allowed those who knew of its existence to intercept usernames, passwords, credit card details, and various other sensitive information from a website's server in plain text.
Not only was information exposed, but a server's private encryption keys were also up for grabs. These could then be used by criminals to decrypt data sent between a user of the website and the server.
This is the most severe security issue to hit the Internet in a very long while.
According to many newspapers and news agencies, Dr. Robin Seggelmann, a German software developer, is the one who unknowingly allowed this to happen, making what's been dubbed a rookie mistake.
An article from The Sydney Morning Herald (Grubb, 2014) notes:
Dr. Seggelmann, of Münster in Germany, said the bug which introduced the flaw was "unfortunately" missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago."I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he said."In one of the new features, unfortunately, I missed validating a variable containing a length."After he submitted the code, a reviewer "apparently also didn't notice the missing validation." Dr. Seggelmann said, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr. Stephen Henson.Dr. Seggelmann said the error he introduced was "quite trivial," but acknowledged that its impact was "severe."The article goes on to describe Dr. Seggelmann's response to those who suggest he acted deliberately: ". . . in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he said."It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."
Dr. Seggelmann, of Münster in Germany, said the bug which introduced the flaw was "unfortunately" missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he said.
"In one of the new features, unfortunately, I missed validating a variable containing a length."
After he submitted the code, a reviewer "apparently also didn't notice the missing validation." Dr. Seggelmann said, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr. Stephen Henson.
Dr. Seggelmann said the error he introduced was "quite trivial," but acknowledged that its impact was "severe."
The article goes on to describe Dr. Seggelmann's response to those who suggest he acted deliberately:
". . . in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he said.
"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."
You could blame Dr. Seggelmann, but he did this work for free, and for the open source community. You might assign blame to the whole OpenSSL organization, and the whole open source community. You can blame all the tech giants for missing this bug for so long, but it's too late and blaming anyone will not help.
If anything had been demonstrated by the discovery of the bug, Dr. Seggelmann said it was awareness that more contributors were needed to keep an eye on code in open source software (Grubb, 2014).
"It's unfortunate that it's used by millions of people, but only very few actually contribute to it," he said. "The benefit of open source software is that anyone can review the code in the first place. The more people look at it, the better, especially with crucial software like OpenSSL" (As cited in Grubb, 2014).
The exact line of code is:
memcpy(bp, pl, payload);
This line copies data pl with length payload to memory address bp. Simple, unless the length of pl is less than payload (a buffer over-read bug). This, at its core, is heartbleed.
The fix (openssl/openssl) is simple as well:
if (1 + 2 + 16 > s->s3->rrec.length) return 0;
hbtype = *p++;
if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0;
pl = p;
This just confirms that pl is not zero and that the payload is correct.
This is a validation error. Many static analysis tools should be able to detect this lack of validation, which shows how simple the bug is and how a small piece of code can fix it. Many companies have already patched it.
According to Internet security firm McAfee (part of Intel Security), you can take the following steps to protect your site:
Once a site has been patched so it's no longer vulnerable to the Heartbleed bug, you should change your password. Here are some tips to keep in mind:
Grubb, B. (2014, April 11). Man who introduced serious 'Heatbleed' security flaw denies he inserted it deliberately. The Sydney Morning Herald. Retrieved July 2014 from http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html
Open SSL. (n.d.). Retrieved from https://www.openssl.org/
Siciliano, R. (2014, April 12). Heartbleed: Free tool to check if that site is safe. Retrieved July 2014 from http://www.huffingtonpost.com/robert-siciliano/heartbleed-free-tool-to-c_b_5137993.html
Vatu, G. (2014, April 10). Heartbleed "author" denies malicious intentions, says bug was a programming error. Retrieved July 2014 from http://news.softpedia.com/news/Heartbleed-quot-Author-quot-Denies-Malicious-Intentions-Says-Bug-Was-a-Programming-Error-436976.shtml
The views expressed in this article are solely those of the author(s) and do not represent the views of Kaplan University.
We encourage you to share this article if you learned anything (#TIL) or found this useful information.
If you are interested in other technology career insights, we invite you to take a look at Kaplan University's Business Articles and Publication page and our Career Moves site, each of which periodically publish new articles and other content on this subject.
And if you are considering IT degree we invite you to find out more about our School of Business and Information Technology and explore Kaplan University's undergraduate and graduate degree offerings.
KU Facebook Page
KU Twitter Page
KU YouTube Channel
KU Google+ Page
KU LinkedIn Page
KU Pinterest Page
KU Instagram Page
Registered User Login
Student Consumer Information
LEARNING AT KAPLAN UNIVERSITY