Heartbleed & NSA Exploits Secure Sockets Layer (SSL), Encryption Protocol

Heartbleed is one of the biggest bugs to ever affect an encryption protocol used by some two thirds of all sites in the world.

Heartbleed; NSA’s widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort. Even Snowden touted encryption as a saving grace in the face of the spy agency’s snooping. “Encryption works,” the whistleblower said last June. “Properly implemented strong crypto systems are one of the few things that you can rely on.”

But Snowden also warned that crypto systems aren’t always properly implemented. “Unfortunately,” he said, “endpoint security is so terrifically weak that NSA can frequently find ways around it.”

Since the Heartbleed bug has existed for two years, it raises obvious questions about whether the NSA or other spy agencies were exploiting it before its discovery.

Researchers revealed Heartbleed, a two-year-old security hole involving the OpenSSL software many websites use to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled. On a scale of one to ten, cryptographer Bruce Schneier ranks the flaw an eleven.

Yahoo, Google, Facebook are just some of the sites that have been affected by the bug at least to some extent. They’re some of the most visited sites in the world, which means that their reach is extraordinary and billions of people have been exposed to the dangers of this bug.

Of course, you’ll say that there are millions of websites out there that don’t even use encryption and that’s perfectly true. But they also don’t require the use of your personal information, your banking account or other type of data that should be protected in every moment.

In fact, it’s not even advisable to share such data when you see no HTTPS at the start of an URL, especially if you want to protect your bank account, for instance.

Another big issue with this bug is that anyone taking advantage of it would not leave a trace behind. That means that it’s impossible to know whether hackers knew of it or not, if data has been stolen or not.

Chances that the bug hasn’t been discovered in the past two years are, in fact, quite slim, which means that enormous amounts of data have been intercepted and collected.

What are the chances that the NSA has been oblivious of this entire bug? None. The agency’s programs that have been exposed thus far indicate that this is exactly what the NSA is supposed to do – find flaws in encryption standards, exploit them and never tell a soul.

While a normal human being, such as those who discovered the bug and made things public, would immediately inform the rest of the world of the dangers they are in, the NSA would shut up and collect as much information as possible for as long as possible.

Basically, Heartbleed is a dream bug for the NSA since none of the agency’s actions would leave a trace, as a lot of sites were affected and no one knew about it. It means that the NSA barely had to lift a finger to spy on millions of people after they discovered Heartbleed. The only problem they had was to discover what other sites were affected so that they could exploit those as well.

It would be nice if some type of documents regarding this would be uncovered from the Snowden stash, although it may not actually be necessary. At this point, everyone thinks the worst of the NSA and rightfully does so considering all that’s been uncovered.

The good news is that the big sites have remedied the problem, but there are plenty more out there that are still susceptible to attacks, so be careful which ones you visit. It’s also advisable that you change your passwords to make sure that, in case yours has already been collected, you restore some of your privacy

Though security vulnerabilities come and go, this one is deemed catastrophic because it’s at the core of SSL, the encryption protocol so many have trusted to protect their data. “It really is the worst and most widespread vulnerability in SSL that has come out,” says Matt Blaze, cryptographer and computer security professor at the University of Pennsylvania. But the bug is also unusually worrisome because it could possibly be used by hackers to steal your usernames and passwords — for sensitive services like banking, ecommerce, and web-based email — and by spy agencies to steal the private keys that vulnerable web sites use to encrypt your traffic to them.

A Google employee was among those who discovered the hole, and the company said it had already patched any of its vulnerable systems prior to the announcement. But other services may still be vulnerable, and since the Heartbleed bug has existed for two years, it raises obvious questions about whether the NSA or other spy agencies were exploiting it before its discovery to conduct spying on a mass scale.

“It would not at all surprise me if the NSA had discovered this long before the rest of us had,” Blaze says. “It’s certainly something that the NSA would find extremely useful in their arsenal.”

NSA Sets Its Sights on SSL

Although the NSA could use the Heartbleed vulnerability to obtain usernames and passwords (as well as so-called session cookies to access your online accounts), this would only allow them to hijack specific accounts whose data they obtained. For the NSA and other spies, the real value in the vulnerability lies in the private keys used for SSL that it may allow attackers to obtain.

Cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had “successfully cracked” much of the online encryption we rely on to secure email and other sensitive transactions and data.

According to documents the paper obtained from Snowden, GCHQ had specifically been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt traffic in near-real time, and there were suggestions that they might have succeeded. “Vast amounts of encrypted internet data which have up till now been discarded are now exploitable,” GCHQ reported in one top-secret 2010 document. Although this was dated two years before the Heartbleed vulnerability existed, it highlights the agency’s efforts to get at encrypted traffic.

The Snowden documents cite a number of methods the spy agencies have used under a program codenamed “Project Bullrun” to undermine encryption or do end-runs around it — including efforts to compromise encryption standards and work with companies to install backdoors in their products. But at least one part of the program focused on undermining SSL. Under Bullrun, the Guardian noted, the NSA “has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.”

Security experts have speculated about whether the NSA cracked SSL communications and if so how the agency might have accomplished the feat. Now, Heartbleed raises the possibility that in some cases the NSA might not have needed to crack SSL. Instead, it’s possible the agency used the vulnerability to obtain the private keys of companies to decrypt their traffic.

The Good News

So far, though, there’s no evidence to suggest this is the case. And there are reasons why this method wouldn’t be very efficient for the NSA.

First, the vulnerability didn’t exist on every site. And even on sites that were vulnerable, using the Heartbleed bug to find and grab the private keys stored on a server’s memory isn’t without problems. Heartbleed allows an attacker to siphon up to 64kb of data from a system’s memory by sending a query. But the data that’s returned is random — whatever is in the memory at the time — and requires an attacker to query multiple times to collect a lot of data. Though there’s no limit to the number of queries an attacker can make, no one has yet produced a proof-of-concept exploit for reliably and consistently extracting a server’s persistent key from memory using Heartbleed.

“It is very likely that it is possible in at least some cases, but it hasn’t been demonstrated to work all the time. So even if a site is vulnerable, there’s no guarantee you’re going to be able to use [Heartbleed] to actually get keys,” Blaze says. “Then you’ve got the problem that it’s an active attack rather than a passive attack, which means they need to be able to do multiple round trips with the server. This is potentially detectable if they get too greedy doing it.”

The vulnerability didn’t exist on every site. And even on sites that were vulnerable, using the Heartbleed bug to find and grab the private keys stored on a server’s memory isn’t without problems.

The security firm CloudFlare, which has spent the last three days testing various configurations to determine if, and under what conditions, it’s possible to extract private keys using the Heartbleed vulnerability, says it hasn’t been able to do so successfully yet, though its tests have been limited to configurations that include the Linux operating system on Nginx web servers.

Nick Sullivan, a Cloudflare systems engineer, says he has “high confidence” that a private key can’t be extracted in most ordinary scenarios. Though it may be possible to obtain the key under certain conditions, he doubts it has occurred.

“I think it is extremely unlikely that a malicious attacker has obtained a private key from an Nginx server of a busy website,” he says.

So far, they believe private keys can’t be extracted from Apache servers either, though they don’t have the same level of confidence in that yet. “If it is possible with Apache, it’s going to be difficult,” he says.

A few other researchers have claimed on Twitter and on online forums that they have retrieved private keys under various circumstances, though there doesn’t appear to be a uniform method that works across the board.

Either way, there are now signatures available to detect exploits against Heartbleed, as Dutch security firm Fox-IT points out on its website, and depending on how much logging companies do with their intrusion-detection systems, it may be possible to review activity retroactively to uncover any attacks going back over the last two years.

“I suspect there are many people doing exactly that right now,” Blaze says.

So what might the world’s spy agencies say about all this? The GCHQ has a standard response for anyone who might wonder if the spooks used this or any other vulnerability to undermine SSL for their BULLRUN program. In a PowerPoint presentation the British spy agency prepared about BULLRUN for fellow spies, they warned: “Do not ask about or speculate on source or methods underpinning BULLRUN successes.” In other words, they’ll never say.

A serious vulnerability in the OpenSSL cryptography library can be exploited to intercept communications. Version 1.0.1g of the software has been released to address the issue.

The vulnerability, CVE-2014-0160, can be leveraged to steal information protected by SSL/TLS encryption because it enables an attacker to read the memory of the vulnerable systems. The security hole exposes all data transmissions, including encryption keys, usernames, passwords and the content of the communication.

The issue has been dubbed the “Heartbleed bug” because it affects the DLS/DRLS implementation of the RFC6520 heartbeat extension, and it leads to the leakage of memory contents.

The security hole is problematic because it has been around for two years, leaving a large number of private keys and other sensitive data exposed.

The flaw was uncovered by a team of engineers from Codenomicon and Neel Mehta of Google Security. Open SSL 1.0.1 through 1.0.1f are vulnerable. The branches of versions 1.0.0 and 0.9.8 are not affected.

Several operating system distributions, including Debian Wheezy, Ubuntu, CentOS, FreeBSD, OpenBSD and OpenSUSE are shipped with vulnerable versions. Researchers believe that most users are likely to be impacted, either directly or indirectly.

It’s worth noting that this isn’t an SSL/TLS design flaw. Instead, it’s an implementation problem in the OpenSSL library.

Researchers also highlight the fact that this bug is not like the recent Apple “got fail” bug, which required a man-in-the-middle (MITM) attack. Instead, the attacker can directly contact the vulnerable service, and even directly attack users connected to a malicious service.

It’s uncertain if the Heartbleed bug is being abused in the wild, but experts say that its exploitation leaves no traces. Intrusion detection and prevention systems can be programmed to detect attacks exploiting this issue, but the attacks can’t be blocked unless the security systems are programmed to block heartbeat requests completely.

Over the upcoming period, appliance, software and operating system vendors have to implement the fix. Some of them are already said to have started the process. One of them is CloudFlare, which fixed the vulnerability last week.

“This bug fix is a successful example of what is called responsible disclosure. Instead of disclosing the vulnerability to the public right away, the people notified of the problem tracked down the appropriate stakeholders and gave them a chance to fix the vulnerability before it went public. This model helps keep the Internet safe,” CloudFlare’s Nick Sullivan noted.

You can download OpenSSL 1.0.1g here

The heart of having secure transactions on the internet relies on a pair of technologies called Secure Sockets Layer (SSL), and its slightly younger brother Transport Layer Security (TLS). For most intents and purposes, they’re the same thing. You can thank TLS/SSL for the little padlock that shows up next to the address of a secure website, and the https:// those addresses start with. Meanwhile, behind the scenes, TLS/SSL is what brokers the exchange of cryptographic keys that lets a browser and a server know they are who they say they are. It’s the guardian of the secret digital handshake that keeps your private information between just you and BigSite.com.

TLS/SSL is a huge part of the internet as we know it today, and fortunately it still works just fine. What’s causing the dangerous breach is a software library called OpenSSL. It’s basically a open source package that people can use to get the protection of TLS/SSL encryption quick and easy. The only problem? It’s had a hole in it for years. A hole called “Heartbleed.”

A look inside

OpenSSL works just fine in theory, but thanks to a minor coding error and the exploits result from it, malicious folks can abuse certain (and popular!) versions of OpenSSL to grab slices of private data that should be secured by the TLS/SSL code that keeps you safe. Attackers can look inside the secret handshake and see how it’s done.

This is problematic for a couple of reasons. First, if attackers take a peek at a secret handshake you are performing when you login to your email account at Yahoo.com, they can see your information. Your username, your password, maybe even your credit card number depending on what you’re doing. There’s all kinds of juicy stuff in there.

But that’s small time spoils compared to the real danger. Attackers will also get a look at how the site that’s taking your data identifies itself. And once that half of the handshake is out in the wild, all bets are off. Not only could ne’er-do-wells use their new-found key to fool people into thinking they are a fine upstanding place of business with a good ol’ man-in-the-middle attack, they can also look back into transactions that already happened. And since they’re getting in with the master key instead of breaking through a window, these sort of attacks leave no trace.

So how does this affect me?

Fortunately not all versions of OpenSSL are vulnerable to this kind of exploit, and there’s already a fixed version of it out there. But considering how long it was broken for, that’s a cold comfort.

There’s a long list of sites that used the offending package, but because the attacks leave no trace, there’s no way of telling how many were actually attacked; you just have to assume they all were. And if you’re a user of one of them, assume your credentials are now out in the wild.

• yahoo.com
• imgur.com
• flickr.com
• redtube.com
• kickass.to
• okcupid.com
• steamcommunity.com
• hidemyass.com
• wettransfer.com
• usmagazine.com
• 500px.com

And even once those sites have patched up the actual OpenSSL hole, the problem is far from solved. Sites also have to perform the internet equivalent of changing their cryptographic locks. Even then, any data that attackers may have managed to stash before then is still vulnerable, and it always will be.

Sources: http://news.softpedia.com/news/OpenSSL-1-0-1g-Released-to-Prevent-Hackers-from-Eavesdropping-on-Communications-436397.shtml , http://news.softpedia.com/news/Heartbleed-NSA-s-Dream-Security-Flaw-436872.shtml , http://www.wired.com/2014/04/nsa-heartbleed/ , http://gizmodo.com/heartbleed-why-the-internets-gaping-security-hole-is-1560812671 ,