If, just like us, part of your business is comprised of solutions that are hosted in the cloud, you have important personal assets online, or you recently bought something online, your heart probably stopped for a second when you first heard about the Heartbleed bug. “Massive security bug”, “Devastating worldwide security flaw”… we all saw something similar making the headlines. Should I remove my documents stored online? Should I quickly look in my bank account and check if anything is missing? Yes, when such news reaches the headlines in non IT magazines, when all the net security people around the world are in panic mode, it’s probably time to have a serious look at what is actually going on.
In terms of “big bugs” hurting big names of the web such as Facebook, Amazon, Dropbox, there’s only a few that reach the level of damages that Heartbleed can cause. But is everyone actually affected? Fortunately not, starting with most financial institutions and other sites (including Nikec’s) that don’t use the OpenSSL technology. Relief!
Let’s take a moment to clarify the topic and understand what we are talking about. Here is what you need to know about Heartbleed.
 |
| Heartbleed has a logo and a reference number: CVE-2014-0160 |
The Heartbleed bug allows anyone (with some hacking skills) on the Internet to read the memory of the system used by the services you are accessing.
Services on the Internet are protected by the SSL/TLS (Secure Sockets Layer / Transport Layer Security) encryption protocols. As everything in IT, there are different version of these protocols, and different ways to implement them.
Heartbleed affects only systems that are protected by OpenSSL technology. OpenSSL is the most popular open source cryptographic library and TLS implementation method. About 66% of web servers rely on it to encrypt data and keep things secure. Facebook, Gmail, Dropbox, Amazon all use OpenSSL.
How does Heartbleed work?
In the OpenSSL library there is an extension called Heartbeat (hence the bug name) which allows the secured session to be kept up and running even though no data is going through. Without the heartbeat, the secured session will drop, and will need to be re-established, manually or by the server, either way requiring some effort. That’s where the bug lies.
In a service transaction between a computer and another, Heartbeat sends requests (small packs of data) from one to the other. The computer that receives the request is required to echo it back to the sender.
The pack of data sent by heartbeat contains values, in particular the payload (the actual useful data without all transport and descriptive information) and information on the size of this payload. The pack that is returned by the computer contains the same payload and some other padding information. The flaw lies in the checking of the consistency of what is sent and returned. To put it simply, OpenSSL only checks the consistency in the value of the size that is specified in the request and the response, not the actual size of the packs that are exchanged in return.
The hacking consists in sending a request that is specified with a standard pack size (around 64 bytes) but that is actually empty or 1 byte. This hacking pack stores the initial payload and remains in the memory of the receiver’s computer. It then copies content from the memory of Open SSL and returns the pack to the attacker. This memory is filled with the transaction information, including the encryption key or your password for example. As consistency in the actual size is not checked, the fact that the returning pack is 64 bytes and not 1 bytes anymore, remains unnoticed.
Now what can you do?
First you need to check if the services you are using are vulnerable to the Heartbleed bug. Several websites, allow visitors to search a domain name to see if the website is still compromised.
- http://filippo.io/Heartbleed/
- https://www.ssllabs.com/ssltest/
- http://heartbleed.criticalwatch.com/
- https://lastpass.com/heartbleed/
Most of sites that have been affected such as Gmail and YouTube, Facebook, Tumblr and, Yahoo have been patched. But millions of other sites are still affected. If you feel you are not sufficiently informed by your service provider, do not hesitate to ask for clarification directly.
Clearly, as a user, there is not much you can do aside from exerting particular caution on the web and avoiding those services that you find are not fixed.
Still you are advised to change your passwords, even if the sites themselves aren't issuing the advice directly, as is the case with Google and that is only a precautionary measure. The bug has been around for 3 years already and there is no guarantee that your information wasn't already compromised.
Also note that some antivirus solutions now include a scanner that notifies you if you are browsing through a potentially affected web site.
As IT manager or service developer, if you are in any doubt about your servers' security, test it for the bug and update it as soon as possible with the appropriate patch. The good news is that OpenSSL fixed the flaw with the release of OpenSSL 1.01g and that operating system companies are now delivering the OpenSSL patches to their clients.
A quick word on our solutions
As cloud solution provider we must clarify the situation with our products. And it is very simple, Nikec Docstore, our cloud solution for file transfer and online collaboration is not using OpenSSL, and therefore is NOT affected. We are we are developing in a Microsoft Windows environment that integrates its own protocol.
]
Nikec Solutions [ www.nikecsolutions.com ]
Sources & references
Nikec Docstore is a mobile application designed for professionals which allows storing any type of file, accessing them remotely from a computer or an iPad and sharing them with authorised colleagues or clients. By combining ease of use and the level of security required in the exchange of working and sensitive documents Nikec Docstore is ideal for mobile professionals and collaborative work. Plus the application is available on premise or in cloud (SAAS), so you always keep full control of your documents.
Visit Nikec Docstore page
Want to test drive one of these products? Contact us
Sources & references
- Heartbleed reference website: http://heartbleed.com/
- A list of websites affected and updated status, by CNET: http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
- OpenSSL web site: https://www.openssl.org
Visit Nikec Docstore page
No comments :
Post a Comment