Monday, April 14, 2014

Change ALL the Passwords! A Brief Overview of Heartbleed

I'm going to go all technical on you for a second, but please don't skip this post.  Also, I'm not actually a programmer (I just play one on TV) so if I get something slightly wrong or don't explain something clearly enough, PLEASE CORRECT ME!  (Yes, I am actually telling you to let me know if I'm wrong about something, because I'd like this post to serve as a resource for people curious about this bug.  An accurate resource.)  Ok so here goes:

What is Heartbleed?

To answer that, I need to first answer this:

What is OpenSSL?

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
Secure Sockets Layer and Transport Layer Security protocols are, simply put, methods for keeping information secure on the internet.  SSL/TLS provides an encrypted connection between a user and a website, so that sensitive information- including usernames, passwords, and any other data the user and the website may be exchanging- is not viewable by anyone who should not view it.  You know that the website you're connecting to is using ssl if the url starts with https instead of just http.  You will also see a little lock icon just to the left of the url.  In general, if it's a website that you log into, it probably uses ssl.

If you're setting up a website, you can buy an ssl toolkit- or, you can use OpenSSL, the open source implementation.

Is Heartbleed a virus?

No, it's not, contrary to what your friendly neighborhood morning radio program may have said, or any other media source who wants to sound smart but has no idea what they're talking about.

What is it, then?

Two years ago, an updated version of OpenSSL was released.  Within the update was a small change to an otherwise trivial line of code which ended up being not so trivial at all.  This bug in the code allows an attacker to view information that would otherwise be protected.

Why is this so scary?

It is estimated that 2/3's of the internet uses OpenSSL.  This means that pretty much everything is vulnerable to an attack.  Exploiting the Heartbleed vulnerability could reveal everything- usernames, passwords, bank accounts, contents of emails, even private crypto keys- to those who are up to no good.  And it's a very, very easy attack.  And- here's the kicker- if an attacker exploits the vulnerability, you would have no idea.  Well, okay, the website would have no idea.  If your bank account suddenly had no money, you'd know something had happened.  But you wouldn't know how they did it, and the website being attacked wouldn't know it was being attacked.

So how does the attack work?

from xkcd
 This comic explains it beautifully.  Basically, an attacker can't grab specific information- it's just whatever happens to be in the server's memory at the time.  But the vulnerability allows an attacker to obtain up to 64kb of information from the server- information that should be protected.

So should I change all of my passwords?

If the website in question has not yet patched itself, then changing your password basically does nothing, because an attacker could, potentially, grab your new password.

Which passwords should I change?

Mashable has an incredible list.  Ask them.

And that's about it.  Obviously I didn't go in depth here, because my intention was just to correct some things you may have read and put the accurate things in plain ol' English.

Sources for this post:
The OpenSSL Project
SSL.com
Ars Technica
xkcd
Mashable

Much love,
The Geeks

No comments:

Post a Comment