Technology News

latest updates from easySERVICE™

Let’s understand Heartbleed: A Flaw Missed by the Masses

200x240xHeartbleed

This week, security researchers publicized a significant security flaw, named Heartbleed, which could expose the personal information that people plug into websites, like passwords and credit card numbers.

Unlike some past Internet security problems, the solution isn’t as simple as immediately changing a password. And the cause of the security flaw remains confusing to many everyday Internet users.

In an interview, one of the experts offered some insight into Heartbleed and open-source software, and gave suggestions for what consumers should do. Below is an edited transcript of the interview.

Q. What is Heartbleed?
A. Basically when you make a transaction online today, whether it’s a bank or credit card company, part of what ensures security is a protocol called SSL. It’s just a way to encrypt the data so that nobody can read it when it’s being transmitted from you to the bank or another company.

What Heartbleed is is a way that an attacker can steal bits of information about that transaction — things you thought were being safeguarded. The attacker can start reading data about a transaction and learn things like your passwords and credit card numbers that you thought were kept confidential.

Q. How did this happen?
A. What happened was, two years ago there was a programming flaw put into this thing called OpenSSL, an open-source implementation of the SSL protocol. A lot of websites use OpenSSL to achieve security. What happened in these cases is that these programs are very complicated, and when things are very complex, some flaws can be missed. It may have been there all along, but it was just hidden in plain sight from the perspective of everybody else.
Q. What is open source?
A. It’s a movement in many ways. Let’s say someone wants to build a program to do something. They might invite other people to start contributing to that software — it’s a method where you can build software programs together with a community of people. You make the software free and easily available to other people if they want to use it.

Because so many people are working on the software, that makes it so it’s less susceptible to problems. For security it’s more important in many ways, because often security is really hard to implement correctly. By having an open source movement around cryptography and SSL, people were able to ensure a lot of basic errors wouldn’t creep into the products.

OpenSSL is an open-source project that’s been around for many years. The code has been developed by many people for many years. Any piece of software is susceptible to vulnerability. I think on the whole it’s still better to use something that’s been vetted by many people for many years. Ultimately the more people who look at it, the more people will find security problems quickly.

Q. So how could the flaw not get noticed for two years?
A. It’s amazing — when I looked at the flaw myself I said, “Obviously, this is a pretty simple error.” This comes down to the issue that there’s so much code out there right now, and there’s so much code people are writing. There was a particular protocol called Heartbeat that did not get as much scrutiny.

The Heartbeat protocol is a sub-part of SSL. Heartbeat is meant to ensure communications are kept alive. So when two people are communicating and there hasn’t been any communication for a while, it keeps the communication line alive for a bit — it keeps a session alive so it doesn’t get taken down. What would typically happen in SSL is the communication would get terminated immediately.

Heartbeat is not the main part of SSL. It’s just one additional feature within SSL. And as an additional feature, it may not get as much scrutiny as the main part itself. So it’s conceivable that nobody looked at that code as carefully because it was not part of the main line.

Q. What are the other encryption options comparable to SSL, and why aren’t they used more widely?
A. SSL has been around for quite a while — since the mid-90s. It has evolved over time and has become a de facto standard. I think in the early days of the Internet, once something got a certain amount of adoption it took a life of its own. It would be really difficult to come up with a new standard at this point.

ve found little issues of it here and there, but there has been no major flaw in how SSL works. I think despite this flaw it is still the best implementation out there. There are going to be some issues with it, but at least the likelihood of an issue with OpenSSL as a whole might be less than another library that might not have been looked at as much.

Q. What should everyone do?

A. There are two things I recommend. There are some sites where you can check if the websites have been upgraded to patch the problem. First check your site to make sure it’s been patched. If it has been patched, then go ahead and log in and change your password. If you change your password and the site hasn’t been patched, then you’re giving a hacker a new password.

Q. What about credit card numbers and other information you might have entered online?
A. That’s a good point: Any data that you sent — whatever you’ve typed into a computer that’s gone to somewhere else — is at risk, like your Social Security, bank account and credit card numbers. The hacker could have gained access to anything.

But I’d say that the first line would be start with your password and work your way backward from there. Start monitoring credit card statements, and if you see suspicious activity, call the bank.

Source: Associated Press

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Information

This entry was posted on April 11, 2014 by in Other, Security and tagged , , , , , , .
%d bloggers like this: