Jump to content
Science Forums

Recommended Posts

Posted

This is the most succinct explanation I can find on how the Heartbleed bug works that I've stumbled upon so far, created by the inestimable XKCD (click the image to embiggen):

 

Source: "Heartbleed Explanation" xkcd.com 

 

 

 

Simple explanation is there's a function called "Heartbeat" that is part of the SSL (actually TLS, but to use the colloquial term here) specification that allows a client to ask a web server if it's still there by sending a small message and then getting it back to verify that the server hasn't gone down and let it know you're still connected. The bug is specific to OpenSSL, an open source library that implements SSL/TLS, that oodles of different software vendors have baked into their web servers, firewalls and other network software because its free and they don't want to build one of their own. 

 

The "Heartbleed bug" (ironic twist in the name) basically lets anyone ask any web server that has an OpenSSL implementation to hand over a random chunk of memory up to 64K big. This is of course really really bad if there just happens to be some passwords or other information you'd like to have be secure in there.

 

Now while the fact that those kinds of things are a little bit more likely to be in the memory space used by a web server than just any chunk of memory (and we're talking RAM here, not disk or information in databases), it is still an entirely random block of memory, and might just be filled with your previous requests to steal memory. Even once you have it, you still have to figure out what's there and if any of it is useful.

 

This all makes it really difficult to do a systematic attack that would say read the *entire* memory of the computer because there's no way to ask for a *specific* "up to 64K" chunk, you just get what happens to be after where your request got plopped by the server on the memory stack.

 

It definitely is easy to do, and it's untraceable (because your request gets thrown away without being logged), but the work involved in getting and analyzing a (possibly highly redundant) set of stolen data means it's not very profitable unless the web site is a very high value target (e.g. DoD, Banks, etc.).

 

So the bottom line is that it looks like there has not been a huge amount of data that's been stolen using this bug, in fact we may find out that NO ONE has ever exploited it successfully to steal your money (although plenty of white hats have tested it and probably a bunch of black hats are trying now (and the NSA has gone after "bad guys" with it, see below)). If you want to be paranoid, don't log in anywhere on the internet for a few days until your favorite web site has announced it's fixed, and then change your passwords.

 

I'll cynically note that this is Open Source software and affected all the open source stacks like Apache and Android, but it looks like since Microsoft writes all their own stuff, that IIS (Microsoft's web server software)-based systems (although some of Microsoft's servers are running Apache (!) and they're still checking those) were not subject to this bug at all (thus the early reports that "two thirds of the Internet is affected"). The majority of the biggest banks are running IIS, so your money in a lot of cases is probably safe

 

 

Even the most dangerous look less threatening when they are dead, :phones:

Buffy

Posted

...and yes, the NSA knew about it, exploited it and didn't tell anyone cuz' it was SOOOOOOO useful....

 

We have to have our priorities straight, people! It's so obvious that it's more important to help the FBI entrap mentally ill "terrorists" than to let it continue to be incredibly easy for hackers steal your money! 

 

 

War is much too serious a matter to be entrusted to the military, :phones:

Buffy

Posted

It doesn't affect our servers at work as they aren't open-source.  I was a little worried about the bank we use, until I found out we were okay.  The fact that they've known about this for so long and did nothing about it is disturbing.

Posted

One of the open issues in assessing the risks from the Heartbleed bug has been whether it was possible to get at a web server's secret SSL certificate using the bug. It's now been shown that it can be done.

 

If a hacker can steal a web site's secret SSL certificate, he can set up another server somewhere that looks to your average user like it actually is his bank that he's connecting to, and the hacker could in theory be able to redirect traffic and set up a site where people would happily enter their passwords.

 

There are issues with this scenario that make it less of a threat than might be imagined:

  • It turns out that for the reasons I outlined above about having access to only a random 64k chunk of the computer's memory, that in most cases the certificate is going to be a long way away from the area in memory that the hackers have access to, and thus most of the time basically impossible to get to. In the test in the linked article, the server was rebooted in the middle of the test and that was what probably put the certificate close to the windows of data the test hackers could get access to.
  • The scenario for impersonating the victim website is no small task. Most banks have started adding "site keys" that do a challenge/response just on your username where they show you a picture or quote that you can verify you've given them before submitting your password. But short of that, host sites have pretty elaborate content that also makes it easy for regular users to notice quickly that "something is wrong" if they do manage to click a link that sends them to an impersonated site.
  • Finally there's the issue of getting people to click a link to get them to the impersonated site: there are many ways to do this, but again, it's an issue of getting the link in a place where people feel comfortable clicking, and that's getting harder and harder.

So again, the work required to actually exploit this bug is pretty high, and while it'd be worth it if it was a very high value site, it could be done but it would still require both an incredible amount of time and effort and a lot of luck thrown in for good measure.

 

Anyone who takes a close look at their Spam folder knows that 99.9% of the spam that gets sent is from clowns who have no idea what they're doing, and while the big crime syndicates are getting better at this, there are much easier ways to go after little fish than this. You still have a much greater chance of falling for a Nigerian Scam than losing money due to Heartbleed....

 

 

Anything not worth doing is worth not doing well, :phones:

Buffy

  • 2 weeks later...
Posted

This was a really fascinating virus. It hit so many services. Luckily the solution was a quick and easy patch! Bring on the next one! ummm.... wait, no :D

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...