YOU ARE HERE: LAT HomeCollections

Internet sites scramble to patch 'Heartbleed' bug, reassure users

April 09, 2014|By Chris O'Brien
  • The "Heartbleed" bug was discovered in the OpenSSL encryption software.
The "Heartbleed" bug was discovered in the OpenSSL encryption… (OpenSSL )

As word spread this week about the dreaded "Heartbleed" bug, consumers and Websites struggled to understand the implications and sort through some of the more apocalyptic pronouncements being made about the problem. 

Consumers started to receive a trickle of notices from services they use online alerting them to potential issues and recommended steps, such as changing passwords. But given the scope of the issue, security experts projected that it could take years to sew up all the holes created by the Heartbleed bug.

"This is one of the worst security issues we've seen in the last decade and will remain within the top 5 for many years to come," said Adam Ely, founder and chief operating officer of Bluebox Security.

Added Jeff Forristal, Bluebox chief technical officer: "OpenSSL is extremely pervasive on all manners of devices, systems and servers. It is going to take the ecosystem significant time to get everything updated, and we will be looking at a long tail situation that could easily extend into years."

Story: ''Heartbleed Bug' puts Web security at risk

OpenSSL is a technology used to provide encryption of an estimated 66% of all servers on the public Internet. It's an open source code that is developed and maintained by a community of developers, rather than by a single company.

The "Heartbleed" bug was discovered separately last week by Neel Mehta, a security researcher at Google, and a team of security engineers at Codenomicon, a security website that has since created a website with information about Heartbleed.

It appears the bug was introduced into OpenSSL by a simple programming mistake that then got pushed out as websites around the world updated the version of OpenSSL they were running.

An updated version of OpenSSL has been issued, and sites can use that to fix the bug. In addition to updating OpenSSL, sites will need to update many pieces of their security protocols known as keys and certificates that help them confirm the identity of users.

On Wednesday, Firebase, a mobile app development service, sent an email to users alerting them that the company had made the necessary changes to patch the bug and update its security protocols. 

"We do not have any evidence that passwords or any other private information has been compromised," the company said. "However, given that this exploit existed in the wild for such a long time, it is possible that an attacker could have stolen passwords without our knowledge. As a result, we recommend that all Firebase users change the passwords on their accounts."

SoundCloud also alerted users that it had made the necessary changes and that they had all been logged out. 

"When you sign back in, the fixes we’ve already put in place will take effect," the company said on its blog. "You should also change your password. We are not aware of any exploitation of this vulnerability on SoundCloud."

Security experts suggest users find out whether a service has updated its OpenSSL version and made the necessary security changes before changing their password. Otherwise, it's possible that a hacker may just grab the new password. 

"To be sure that attackers won't be able to use compromised data, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library, said Jaime Blasco, labs director for AlienVault.

The revelation of the bug has alarms ringing across the Web because OpenSSL had become so widely adopted. 

"No doubt, the bug is a serious concern," said Andrew Storms, director of DevOps at CloudPassage. "OpenSSL is the de facto standard for implementing encryption in just about every open-source application and even many commercial software products.  Every time security-related problems are discovered in OpenSSL, huge swaths of Internet services require an update and a reboot. The fact that the bug has been in the OpenSSL code train since December of 2011 just increases the likelihood that the list of affected systems is staggering."

What's making the security community so nervous is just how little is known about how widely the vulnerability has been exploited to get personal and commercial information. 

"This is an excellent example of vulnerabilities that exist within encryption products just waiting to be discovered," said Lucas Zaichkowsky, enterprise defense architect for AccessData. "This particular programming error was introduced in December 2011 with OpenSSL version 1.0.1. Criminals could have been using it. Intelligence agencies like the NSA could have been exploiting it. It’s hard to say what those organizations have in their arsenal, being used quietly."

The bug is also raising questions about the wisdom of relying on such a single standard.

Los Angeles Times Articles