Friday, April 11, 2014

The Heartbleed bug and why a secure password matters even more now

In early April 2014, a huge vulnerability was uncovered in a cryptographic software library used by an estimated two-thirds of web servers currently in use around the world. This vulnerability allows an attacker to request data from the memory of any server that uses OpenSSL and potentially read unencrypted passwords, confidential or sensitive information, e-mails, or anything else the server happens to return.

According to Ars Technica:
The leak is the digital equivalent of a grab bag that hackers can blindly reach into over and over simply by sending a series of commands to vulnerable servers. The returned contents could include something as banal as a time stamp, or it could return far more valuable assets such as authentication credentials or even the private key at the heart of a website's entire cryptographic certificate.
Just how bad is this bug? Mark Loman, a malware and security researcher at SurfRight, tested a few public servers after hearing early reports of this bug and noticed that plain text usernames and passwords were being returned to him by Yahoo Mail, one of the world's most widely-used webmail services. Further investigation showed that Flickr, Tumblr, and a number of other Yahoo properties were vulnerable, potentially exposing millions of users to account compromises.

Mark posted a pair of screenshots to Twitter that show account credentials in plain text (see below). Mark courteously obscured the usernames and passwords affected, but it's not hard to imagine other people being somewhat less polite.

Tell me the truth, doctor, how bad is it?

On a scale of 1 to 10, the general consensus is 11. Remember, the servers involved have potentially been leaking their private security keys which means anyone can 'fake' being them, and you'd have no way of knowing for sure.

What does this mean for me?

If you're a systems administrator who controls a number of servers, it means lots of work to get everything patched and authenticating properly again.

One option is to start using a password manager. So many web servers use OpenSSL that it's likely some service you've encountered at some point will be compromised. Limit the attack vectors to your accounts by using unique passwords, and even if someone gains access to that forgotten account you set up once, they won't get access to that important account that you use every day.

Also use two-factor authentication wherever you can. Two-factor authentication protects you even in the event that someone does manage to get your password by requiring a second, randomly-generated "token" that expires every 45 seconds or so to allow you to access your account.

Thankfully, if you use Google Apps or Microsoft Office 365 you're safe. Microsoft doesn't use OpenSSL and instead relies on its own encryption mechanism and Google Apps/Gmail has been using forward secrecy since November 2011. Google is patching other services affected by the Heartbleed bug, but it never hurts to change your password regularly.