The Heartbleed bug hit some two thirds of this nation's internet servers
. Usernames and passwords stored on those servers are at risk. There's a patch, but it's too little and too late.
The bad news is that about 600,000 servers are still vulnerable to attacks exploiting the bug. The worse news is that malicious “bot” software may have been attacking servers with the vulnerability for some time—in at least one case, traces of the attack have been found in audit logs dating back to last November. Attacks based on the exploit could date back even further.
Security expert Bruce Schneier calls Heartbleed a catastrophic vulnerability. "On the scale of 1 to 10, this is an 11," he said in a blog post today.
You've probably heard that those clever lads and lasses at the NSA found this security hole months ago and have been using it to worm into the system. That revelation came from a Bloomberg story which the Obama administration officially contradicts
. The denial comes from Caitlin Hayden, spokesperson for the White House National Security Council.
"If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," Hayden added.
Hayden said that when US agencies discover a new vulnerability in commercial and open-source software, "it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose".
I don't know how seriously anyone is going to take this government's ringing declaration of its own virtuousness. I feel certain that the original Bloomberg story got it right.
The big question: If No Such Agency did exploit the bug, were they acting opportunistically, or did they plan this whole Heartbleed thing all along?
A German named Robin Seggelmann
was supposed to examine the code for such flaws. The thing got past him. He insists that he is not a spook (for any
service) and has never worked for spooks.
After he submitted the code, a reviewer "apparently also didn’t notice the missing validation", Dr Seggelmann said, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr Stephen Henson.
Dr Seggelmann said the error he introduced was "quite trivial", but acknowledged that its impact was "severe".
Well...okay. But I'd like to hear more about this Henson fellow. (He is also mentioned here
So when and how did the NSA discover the vulnerability? The Electronic Frontier Foundation
traces it back to November of 2013...
It would be very bad news if these stories were true, indicating that blackhats and/or intelligence agencies may have had a long period when they knew about the attack and could use it at their leisure.
A lot of the narratives around Heartbleed have viewed this bug through a worst-case lens, supposing that it might have been used for some time, and that there might be tricks to obtain private keys somewhat reliably with it. At least the first half of that scenario is starting to look likely.
Even worse, we now have an indication that the "fix" doesn't fix enough.
The results are a strong indication that merely updating servers to a version of OpenSSL that's not vulnerable to Heartbleed isn't enough. Because Heartbleed exploits don't by default show up in server logs, there's no way for sites that were vulnerable to rule out the possibility the private certificate key was plucked out of memory by hackers. Anyone possessing the private key can use it to host an impostor site that is virtually impossible for most end users to detect. Anyone visiting the bogus site would see the same https prefix and padlock icon accompanying the site's authentic server.
So what does this mean?
When you visit your web-based email site, are you really there
, or are you somewhere else?
I've read some comments indicating that OpenVPN is vulnerable. I don't know if any other VPNs have been compromised.
The recommended course of action: Change all of your passwords. Personally, I wouldn't do that until we hear that the Heartbleed problem has been solved once and for all.