Sunday, April 20, 2014

Getting over the Heartbleed

Not the love life, the life Online

The simple explanation:
Heartbleed allows a hacker/attacker to have access to a random chunk of memory on the server that contains ur encryption keys or un-encrypted passwords, site data etc while the hacker remains anonymous. You would not know if it hit you.



What can the end user do???
Check if your provider/website of which you are a member of has patched the heartbleed bug. 
Here's the list of websites which have been affected by the heartbleed bug.
 Just change the Password.



 Android users update ur phones.

In detail:
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which are designed to provide communication security over the Internet. 
One library that implements TLS is OpenSSL.

66% of the websites use OpenSSL, so knowingly or unknowingly u have been bugged.

A few versions earlier to the current OpenSSL, the negotiation between the client and server before sending expensive data was expensive. Most of the time the packets used to get lost or corrupt due to too many requests and need to drop its end of the TLS connection.
So the guys at the OpenSSL formulated a solution. i.e A way of telling that the server is available or its currently overwhelmed by different requests.  This way of telling if the server was available was done with the help of "KEEP ALIVE" messages known as "HEARTBEATS".


How does the HEARTBEAT work?
ex: suppose you send an request as a payload "you there man" the size is 13 so the webserver to whom you requested stores the payload as well as the size 13 into its memory. So when you send the "keep-alive" request the message is sent back to the client this is done by reading the message out from the memory of the server where it was stored following 13 places(size of ur payload).So, ur connection is kept alive.


The FLAW: Heartbleed
OpenSSL library never checked that the Heartbeat payload size corresponds with the actual length of the payload being sent.  A user is allowed to input any number up to 65535 (64 kilobytes) regardless of the true size of the payload. 
So now the attacker will send an heartbeat request for 64kb even though his payload size is 13 bytes. The server will start responding to the heartbeat request by sending the first 13 bytes and  continuing upto 64kb from the server memory to the client. The data received by the client will contain encryption keys, usernames, unencrypted passwords, user information, site information etc etc . In short whatever is put onto the server memory which is relatively everything.
All this can be performed anonymously and in a repeated manner so accessing different parts of the server memory. 


The CURE:
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
--Official Statement
Check if your site is affected by using this tool by LastPASS

You need to revoke your current secret TLS keys and regenerate new ones. Coz there is no telling if you have been hit and run coz all these attacks are anonymous. 

Android users of V.4.1.1 Jellybean, need to update their phones. (Better to update all android devices irrespective of the version) Download Lookout’s Heartbleed Detector or Bluebox’s Heartbleed Scanner apps, both of which will tell you if your Android device is affected by the bug.

Change ur passwords of websites that are affected(atleast by a letter) 

Even VPN's are suffering from Heartbleed. You will have to regenerate the client certificates. http://www.pcworld.com/article/2144962/vpn-provider-proves-openvpn-private-keys-at-risk-from-heartbleed-bug.html

Don't stop there, coz even if you have patched it from the patch received from the vendor there still might be a lot of ways to steal the information. Everyone's checking and trying to find out more vulnerabilities (so should you) and a few have found too like the Reverse HeartBleed


Reverse Heartbleed
The Heartbleed bug (CVE-2014-0160)can be used to attack clients as well as servers. Many organizations have hosts which initiate outbound SSL connections (pulling updates, fetching images, or pinging webhook URLs). These hosts are often on a separate infrastructure (with different SSL dependencies) within the organization firewall. These hosts may be vulnerable to the reverse Heartbleed attack. 
This is the tool to check for it. https://reverseheartbleed.com/

Reverse Heartbleed is more tricky for the attacker however once you have patched the heartbleed the reverse heartbleed becomes more trickier.


This bug has been around for 2 years
There are claims that no hackers knew about this and it was the researchers who found about it probably the NSA and Google(since a month) knew it. 
The race is on to find the next bug. It's got a reward too. http://www.theregister.co.uk/2014/04/16/open_ssl_crowdfunding/

Microsoft determined that Microsoft Account, Microsoft Azure, Office 365, Yammer and Skype, along with most Microsoft Services, are not impacted by the OpenSSL “Heartbleed” vulnerability. Windows’ implementation of SSL/TLS is also not impacted. A few Services continue to be reviewed and updated with further protections. 


 References:
https://xkcd.com/
http://security.stackexchange.com




No comments: