The Heartbleed Impact So Far
October 8, 2014
• 0 Comments
On April 7, 2014, a widespread encryption software bug dubbed Heartbleed, which allowed attackers to access random sections of a server's recently used code, was revealed. Because of the potential to steal keys and passwords, computer forensics experts expected the Heartbleed impact to be among the worst in the history of Internet bugs.
Heartbleed affects certain versions of the open-source encryption software OpenSSL, specifically the optional Heartbeat feature, which allows servers to maintain an open connection when information is not being transmitted. A maliciously malformed Heartbeat could elicit a longer response than intended: up to 64 KB of random data. For a fantastic illustration of the bug, check out the Web comic xkcd.
The Potential Impact of Heartbleed
The bug was named and revealed by security firm Codenomicon, which described its tests of the bug in clear, dire terms: "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business-critical documents and communication."
The potential for widespread damage was enormous, especially considering the ubiquity of OpenSSL, which is incorporated into the widely-used Apache and nginx servers. Together, these servers were used for over 66 percent of sites on the Internet. Not all of these sites used OpenSSL, however, and not all of those had Heartbeat enabled. Taking these factors into account, the total number of vulnerable websites was a mere 600,000 websites, or 20 percent of the secure sites on the Web, according to a recent report from McAfee.
The announcement of the bug created a dangerous situation: a race between hackers and patchers. This problem was presumably the lesser of two evils; if hackers were already executing Heartbleed attacks — initially thought to be undetectable — then any delay in announcing the vulnerability would give them more time to attack before sites were patched.
The Actual Heartbleed Impact
So how bad was Heartbleed? There were reports that logs had recorded activity that resembled Heartbleed attacks as far back as November 2013, five months before the bug was announced, according to the Electronic Frontier Foundation. On April 11, four days after Codenomicon revealed the bug, a hacker stole 900 Social Insurance Numbers from the Canadian Revenue Agency, according to the BBC. Four days later, IBM observed 300,000 attacks on their security services clients in 24 hours. In one interesting reversal, reported by the BBC, a French computer security researcher used Heartbleed to hack into secure online forums used by criminal hackers.
In the months since April, however, no major breaches were announced until August, when TIME reported that Chinese hackers had used Heartbleed to attack Community Health Systems, a large U.S hospital chain. The attackers gained access to security keys, which they used to steal data that included the Social Security numbers, dates of birth and addresses of 4.5 million patients. The initial attack occurred in April.
Despite the lack of widespread, publicly-known, successful Heartbleed attacks, many others likely occurred. Hackers who obtained security keys in the window between learning of Heartbleed and a server implementing a patch could continue to use those keys long after the patch until the server changed the keys.
Additionally, not all servers have implemented a patch; according to the McAfee report mentioned above, more than 300,000 of the estimated 600,000 initially vulnerable websites remained unpatched as of August.
While Heartbleed has yet to prove as damaging as predicted, it is still too early to know its ultimate impact.
Photo credit: Wikimedia Commons