‘Heartbleed’ puts Internet security at risk

SAN FRANCISCO — The discovery of a significant flaw in software that was supposed to provide extra protection for thousands of websites has thrown the tech world into chaos as experts scrambled to understand the scope of the vulnerability.

Consumers started to receive a trickle of notices from services they use online alerting them to potential issues and recommended steps, such as changing passwords. But given the scope of the issue, security experts projected that it could take years to sew up all the holes created by the Heartbleed bug.

“This is one of the worst security issues we’ve seen in the last decade and will remain within the top 5 for many years to come,” said Adam Ely, founder and chief operating officer of Bluebox Security.

Added Jeff Forristal, Bluebox chief technical officer: “OpenSSL is extremely pervasive on all manners of devices, systems and servers. It is going to take the ecosystem significant time to get everything updated, and we will be looking at a long tail situation that could easily extend into years.”

Heartbleed is a vulnerability in OpenSSL, a technology used to provide encryption of an estimated 66 percent of all servers on the public Internet. OpenSSL is an open-source code developed and maintained by a community of developers, rather than by a single company.

Although such jargon is unfamiliar to average users, most people online probably have seen the green padlock icon in the address bar of their browser, followed by “https” that indicates that the OpenSSL added security has been enabled.

The vulnerability was found separately last week by Neel Mehta, a security researcher at Google Inc., and a team of engineers at Codenomicon, a security website that has since created a site with information about Heartbleed.

On Tuesday, Tumblr, owned by Yahoo Inc., disclosed that it had been hit by Heartbleed and urged users to change not just the password for its site but for all others as well.

Signaling just how much uncertainty and confusion surrounds the glitch, security experts warned that such a gesture might actually be useless because if a site has not fixed the problem hackers could just as easily steal the new password.

“The scope of this is immense,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, a Salt Lake City cybersecurity company. “And the consequences are still scary. I’ve talked about this like a ‘Mad Max’ moment. It’s a bit of anarchy right now. Because we don’t know right now who has the keys and certificates on the Internet right now.”

It appears the bug was introduced into OpenSSL by a programming mistake that got pushed out as websites around the world updated their version of OpenSSL.

After the discovery last week, news spread quickly around the Web as the implications became clearer. As Tumblr made its announcement, security experts found numerous “exploits” or simple pieces of software widely available online that hackers could use to attack sites left vulnerable by Heartbleed.

By running such exploits, a hacker could in just a few seconds download countless emails, passwords, user IDs and much other personal information.

“Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it,” said Jonathan Sander, vice president of research and technology for Stealthbits Technologies, a cybersecurity firm in Hawthorne, N.J.

An updated version of OpenSSL has been issued, and sites can use that to fix the bug. In addition to updating OpenSSL, sites will need to update many pieces of their security protocols.

But Internet users now face a dilemma: How do they know they can trust a site?

A website created by Filippo Valsorda, an Italian cyber security expert, promises to vet websites for safety. The tool tests websites by trying to exploit them using the Heartbleed bug, Valsorda said.

Valsorda said that he built the tool in a few hours but that he has kept working on it to improve how it works. He said the website, at http://filippo.io/Heartbleed, was being used about 7,000 times per minute Wednesday.

A check of the website Wednesday listed many popular sites as secure, including Facebook, Twitter, Gmail, Amazon and Yahoo.

Besides checking to make sure websites are secure, Valsorda recommends that users also keep an eye out for statements from their most frequented websites in case they were hacked through the Heartbleed bug.

Experts worry that hackers can use security information gathered via Heartbleed to create fake copies of real sites that will induce users to disclose more information.

“Avoid things like online banking and avoid sensitive sites if you’re not sure,” said Andrew Storms, director of DevOps at CloudPassage. “Some people will see it as overkill. But I think that’s the simplest guidance.”

What’s making the security community so nervous is just how little is known about how widely the vulnerability has been exploited to get personal and commercial information.

“This is an excellent example of vulnerabilities that exist within encryption products just waiting to be discovered,” said Lucas Zaichkowsky, enterprise defense architect for AccessData. “This particular programming error was introduced in December 2011 with OpenSSL version 1.0.1. Criminals could have been using it. Intelligence agencies like the NSA could have been exploiting it. It’s hard to say what those organizations have in their arsenal, being used quietly.”

The bug is also raising questions about the wisdom of relying on such a single standard.

“Having common technology is typically viewed as a good thing. But it can also lead to assumptions,” Sander of Stealthbits said. “People assume the parts they use are safe if everyone uses them. If deep testing isn’t being done by the good guys to make sure those parts stay safe over time, then you can be sure the bad guys will find the faults first.”

Added Mark Bower, vice president of product management and solution architecture for Voltage Security:

“Security vulnerabilities will always exist, and provide the ideal beachhead for attackers to establish the data-stealing malware infantry front line. In this case, Heartbleed’s significant data theft risk also emphasizes the need to take a different approach to data protection above and beyond SSL.”

It’s also led to a debate about the reliability of open-sourced security tools.

“This is really serious and a big blow to the credibility of open source,” said Phil Lieberman, president of Lieberman Software in Los Angeles. “This is very bad, and the consequences are very scary now that it has been disclosed. The fact that this code is on home- and commercial Internet-connected devices on a global scale means that the Internet is a different place today.”

More in Herald Business Journal

Stan Jones (left) father of Vice Chairwoman Teri Gobin, gets a handshake from Jared Parks while Herman Williams Sr. hugs Bonnie Juneau (right) after the Tulalip Tribes and Quil Ceda Creek Casino held a groundbreaking ceremony for the new Quil Ceda Creek Casino Hotel on Tuesday at the Tulalip Reservation. The casino hotel will be built on 16 acres of ancestral tribal land and will feature a main casino that will showcase as many as 1,500 slot machines. (Andy Bronson / The Herald)
Tulalips break ground on new Quil Ceda Creek Casino Hotel

A 150-room hotel was added to what is now a $140 million project in Tulalip.

Teddy, an English bulldog, models Zentek Clothing’s heat regulating dog jacket. (Ian Terry / The Herald)
Everett clothing company keeps your dog cool and stylish

Zentek uses space-age fabrics to moderate the temperature of pets and now humans.

Trudeau snubs Boeing, unveils plan to buy used Aussie jets

Trudeau will be assessing the impact fighter jet contracts have on his country’s economy.

Boeing raises dividend 20%, continues stock buyback program

The manufacturer said it has repurchased $9.2 billion worth of its shares this year.

Everett engineers learn lessons from Mexico City catastrophe

Structural scientists went to help after the September earthquake there and studied the damage.

Providence Hospital in Everett at sunset Monday night. Officials Providence St. Joseph Health Ascension Health reportedly are discussing a merger that would create a chain of hospitals, including Providence Regional Medical Center Everett, plus clinics and medical care centers in 26 states spanning both coasts. (Kevin Clark / The Daily Herald)
Merger would make Providence part of health care behemoth

Providence St. Joseph Health and Ascension Health are said to be talking. Swedish would also be affected.

Hospital companies merge as insurers encroach on their turf

An anticipated deal between Providence St. Joseph Health and Ascension is only the latest.

DaVita to sell off medical groups including The Everett Clinic

Another round of health care consolidation means The Everett Clinic could soon get new ownership.

Engine trouble hits Air New Zealand’s 787 Dreamliners

A Rolls-Royce engine was shut down and was afterward found to be seriously damaged.

Most Read