The crown jewel of secure websites is a single string of data - a very long jumble of letters and numbers and symbols that looks like gibberish. The Heartbleed bug allows hackers to crack it.
Security professionals demonstrated last weekend that the recently disclosed Heartbleed bug can be exploited to allow criminals and intelligence agencies to make off with one of the most sought-after prizes in hacking: the private keys that websites rely on to decrypt sensitive information, including passwords, banking details and health data.
At least six people were able to extract the private key of a website in a test of the bug’s viability organized by CloudFlare Inc., said Nick Sullivan, a security architect with the Internet security company. The results suggest hackers have stolen encryption keys using the bug and are planning attacks, he said.
The company set up the competition after stating in an April 11 blog post (which was reported by the New York Times) that stealing keys appeared to be very hard or impossible using Heartbleed, one of the biggest holes in the history of the Internet. “It turns out we were wrong,” CloudFlare now says. Sullivan said in an e-mail Sunday that the company was planning to replace the keys it manages for clients anyway to be safe and that the contest “made us more confident that the cost was worthwhile.”
The evidence that a widely used form of encryption called OpenSSL can be undermined, giving attackers potential access to websites’ future and past communications, validated fears about Heartbleed’s danger and added urgency to efforts now entering their second week to fix computer systems containing it.
Since its discovery, there has been much discussion about how the flaw could have gone undetected for so long and whether criminal hackers or government intelligence units might have exploited it.
Bloomberg News reported April 11 that the National Security Agency knew about the bug for two years and made it part of its hacking toolkit. The NSA has since denied that it knew of the Internet hole before an April 7 report by private security researchers.
Millions of smartphones and tablets running Google Inc.’s Android software are vulnerable to the bug, as are networking products from Cisco Systems Inc. and Juniper Networks Inc. Dozens of entities are conducting Internet-wide attack attempts seeking to exploit Heartbleed, including computers in China that have been associated with hacking, said J. Alex Halderman, an assistant professor of electrical engineering and computer science at the University of Michigan tracking the attacks.
Sites have no way of knowing if their encryption codes have been stolen, and criminals will soon find ways to automate techniques for taking them, said Jeremiah Grossman, a Web application specialist and founder of WhiteHat Security Inc.
“Exploitability matters a great deal!” Grossman wrote in an e-mail. “After that proof is done, then the black hat tool to make it scale will come next. And just because the issue is patched, doesn’t mean the risk is over - far from it.”
Serious Internet Hole
Heartbleed, the result of a simple programming error, is the kind of security hole that is discovered every few years, widespread and serious enough that it sends technology companies around the world scrambling to protect their networks.
Writing the code to exploit it takes creativity and patience. Good exploit code is something of an art form, and skilled hackers have signature techniques. Finding a bug and figuring out that it is exploitable are just the first steps.
Intelligence agencies and criminal syndicates take what they know and create hacking packages that can be used off-the-shelf to compromise networks. Thus, a single bug can spawn multiple types of attack bundles. The goal is to maximize the ability to penetrate a target, while minimizing the chance of discovery.
The Heartbleed bug could therefore have many consequences, but the ability to steal private encryption keys is the most severe.
In encryption, private keys are like the keys to a house. Only you have them, and they are closely guarded. Public keys, on the other hand, are what everyone on the Internet sees when they want to communicate securely with a website. The two are paired.
Stealing the private key gives an intruder unfettered access to their targets, allowing them to capture data flowing between websites’ servers and users’ computers.
So far, efforts to fix vulnerable systems appear to be working. The majority of websites that had the bug have applied a software patch that protects them. About 12 percent have not, according to a site called istheinternetfixedyet.com tracking the progress.
An urgent concern now is that they all revoke the Secure Sockets Layer, or SSL, digital certificates that handle their data encryption and contain keys that might have already been stolen by hackers.
The researchers who discovered Heartbleed said the bug could exist inside hundreds of millions of websites, based on the market share of the open-source software that uses OpenSSL. The number is actually closer to 500,000, because only a fraction of sites had the vulnerable functionality turned on, according to Netcraft Ltd., a cyber-security firm based in Bath, U.K., whose data the researchers used for their original estimate.
Of the vulnerable sites, just 30,000 have taken the step of revoking their encryption certificates, leaving the rest exposed to potential attack, Netcraft said.
An attack would look like what Ben Murphy, a 30-year-old software developer in London, did on Saturday after his morning run.
In a matter of a few hours, Murphy took a publicly available program designed to exploit Heartbleed flaws, modified it and trained it on CloudFlare’s contest server using two machines from Amazon.com Inc.’s cloud-computing service. Out popped the private key before lunch.
The attack required a basic understanding of encryption, information that could probably be obtained from an introductory course on the subject, Murphy said.
“I don’t think dumping the private key was that difficult,” he wrote in an e-mail.
CloudFlare’s test site got 44 million hacking attempts from 2,921 unique Internet Protocol addresses, the company said. The number of contestants was smaller because some people used multiple computers.
The contest was designed as a realistic simulation for an attack, and the contest server used the same software as one-seventh of all websites, Sullivan said.
Ilkka Mattila, an information-security specialist with the National Cyber Security Centre in Finland, said he was preparing food and watching television while his program stole the key with relative ease.
“The implications were mind-boggling,” Mattila wrote in an e-mail. “Not only would anyone with a stolen key be able to impersonate any vulnerable service, but also any previous communication encrypted with the same key would be at risk. I immediately recalled the stories about large intelligence organizations storing huge amounts of encrypted traffic ‘in case they might be decrypted in the future.’ This might be that day.”
Fedor Indutny, a security researcher in Moscow, said he didn’t think his straightforward approach would lead to such sensitive information.
“I had no expectation of obtaining the key, because it doesn’t seem feasible at that time,” Indutny wrote in an e-mail. “Successfully extracting it was a big surprise for me!”
Attackers could go after more than just encryption keys.
Yahoo! Inc. found some of its data spilled onto the Internet after the Heartbleed discovery.
Mark Loman, chief executive officer of software maker SurfRight BV in the Netherlands, said the bug was trivial to exploit and easily made Yahoo’s servers cough up user names, passwords and other sensitive information. Loman posted some of it online in redacted form and alerted the company.
Yahoo said within 48 hours that it had fixed the problems on its main properties. “As soon as we became aware of the issue, we began working to fix it,” the Sunnyvale, California-based company said in an e-mailed statement April 9.
Yahoo said in an e-mailed statement yesterday that it has fixed the Heartbleed bug across all of its properties and declined to address specific questions about the gap between when the bug was disclosed and when the site was fixed.
There was a silver lining: security professionals contacted Loman for advice on how to exploit the bug on websites used by criminals.
“They were anxious to scrape accounts from web servers belonging to the cybercrime underground forums, to infiltrate the operations of cybercriminals,” Loman wrote in an e-mail. “Like Yahoo, the crooks hadn’t patched their Web servers.”
To contact the reporter on this story: Jordan Robertson in San Francisco at firstname.lastname@example.org