Two-factor protects users from Mammoth bug’s sting
A programming gaffe in OpenSSL may well be the worst security malfunction in Internet history.
A quiet misstep in the coding of the OpenSSL heartbeat extension made encrypted data open to exploitation by hackers. Anyone can contribute to the open-source OpenSSL project, and a German computer programmer voluntarily working on the code says he accidentally added the vulnerability.
Security engineers at Codenomicon and a researcher at Google Security stumbled upon the Heartbleed bug, sending hundreds of thousands of websites scrambling to plug the privacy leak.
Heartbleed was a bug – that has since been fixed – in the OpenSSL software used on web servers worldwide. OpenSSL encrypts data sent from the server to web visitors. It includes a feature called a heartbeat, which sends some data back to the visitor’s browser to let it know the site is ready and waiting for requests.
In normal operation, the heartbeat sends the same amount of data that the browser received, like an echo. But the Heartbleed bug added a vulnerability that enabled a hacker to request more data to be returned in the heartbeat – up to 65,536 bytes from the server’s memory block.
What was included in the returned heartbeat data varied from server to server and session to session, but since it is simply grabbed from the server’s memory, it may have included elements a hacker could use such as usernames and passwords from recent visitors.
The flaw was born in December of 2011. The impacted version of OpenSSL was released a few months later, but it wasn’t until April of 2014 that the world found out about it.
While the private version of SSL is sold to companies, the open-source version is free and used by the majority of web services to encrypt traffic. “It showed that the underlying security of roughly half the sites on the Internet was broken,” says Joe Siegrist, CEO of the identity access management provider LastPass. “Not only was the security of the transport broken but data was potentially leaking from those affected sites.”
Heartbleed impacts a fundamental security layer of the Internet that creates a safe path between a user and a web service.
Thanks to Heartbleed, many sites presumed to have a secure connection because they display “https” in their URL haven’t been safe for the past two years. Passwords and other data could have been openly accessed and the thieves likely would have gone undetected.
Codenomicon quickly launched heartbleed.com to answer the public’s questions and supply updates about the bug, which Siegrist calls “mammoth.” He says it was scary enough that a lot of companies reacted leisurely to Heartbleed, but it should really wake up consumers who use the same password for multiple sites.
“It’s like reusing the same key for every lock and then taking a picture of that key and posting it on the Internet so that anybody can make a copy of it,” Siegrist says. “I’m hoping the lesson learned out of this is that you need to be using a password manager.”
The widespread scope of the bug may lead to greater use of multi-factor authentication, although Siegrist doubts it’ll be built into an abundance of sites going forward. “I think multi factor is critical for your password manager and potentially your email as well.”
But Siegrist says multi-factor authenication is tough on both the providers and the users.
“I see a lot more value in federating identity with somebody that is doing multi factor for the end user,” Siegrist says. “So you have a high degree of confidence that they are who they say they are without subjecting them to your own multi-factor.”
Why did it take two years?
“The Heartbleed breach has demonstrated that everything we thought was secret on the Internet is, in fact, not secret,” says Andre Boysen, executive vice president of marketing at identity provider SecureKey. “Heartbleed has lifted the veil on the security model of the Internet, and there’s been a collective gasp of disbelief.”
It became clear that bugs aren’t more likely to be exposed just because open source software falls under public scrutiny. Boysen thinks the problem wasn’t discovered right away because it can be difficult to see the consequences of how software interacts. Plus, other elements may have been compensating to help keep information private.
“The entire Internet is anchored in secret user ID’s and passwords,” Boysen adds. “What we’re seeing is that’s an utterly inadequate way to secure all of the private information that needs to travel over the Internet.”
Boysen explains that the bug shows how easy it is to copy passwords and leave no trace of the breach. There is no way to know how many thieves found the vulnerability and took advantage of it.
“All of us have seen how the sausage factory that is the Internet of security works, and it’s actually scary,” Boysen says. “We’ve got to move beyond secrets on the Internet.”
He thinks Heartbleed is going to galvanize the industry to make user access easier and stronger. That includes a renewed push toward multi-factor on the Internet and on devices that users commonly carry.
“So many users actually copy IDs and passwords across sites because that’s the only way they can manage,” says Boysen, who admits to having 300 user IDs and passwords. “But I am not going to configure 300 sites to use multi-factor authentication. That is a pain I would much rather not endure.”
For the ten services he frequents most, Boysen says he’d be willing to use multi-factor but the rest need to find a way to participate in a shared multi-factor scheme.
He says if multi-factor had been in place for more web services, the impact of Heartbleed would have been significantly curtailed. Private information would still have leaked out, but access to many accounts would have been harder to compromise.
Before any big change can happen, multi-factor has to overcome two problems. “One is that it’s a burden to the users,” Boysen explains. “The second is that the problem for me, the user, is that I don’t know who I’m giving this one-time password code to. So if there’s a man in the middle, an attack can be mounted.”
Boysen believes all web services should deploy multi-factor, either directly or with a partner, and they can do it in a way that avoids hassles for the users.
SecureKey envisions a future where Internet security operates the way credit cards do.
“I can take a single payment card, like a Visa card, and I can go to any merchant on the planet without any prior relationship and I can buy goods at that web service. By contrast, everywhere I go on the Internet, they say ‘here’s your user ID and password,’” Boysen says. “I am not going to download 300 multi-factor apps on my phone. So we think web service is going to be more like payments, where I’m going to choose my trusted provider.”
The provider would help users reach all of their online destinations.
“Like with my real wallet, if I want three credit cards, I can have three different providers to segregate my life if I want to do that. If you want to have eight, you can have eight,” Boysen adds. “We think that’s the way this model is going to merge to make multi-factor access easier for users and more trustworthy for web services without having to put multi-factor on every service on the Internet.”
A repaired version of OpenSSL has been released in the time since Heartbleed. Developers can also recompile the flawed version and remove the heartbeat extension.