Why Heartbleed Causes Heartburn

Heartbleed and code

Why Heartbleed Causes Heartburn
| Published April 15, 2014 |

By R. Alan Clanton
Thursday Review editor

It was only a matter of time—very little time, in fact. Hackers worldwide have been using the recently exposed Heartbleed as a pathway for the theft of data from tens of thousands of locations.

Heartbleed is the catchy but sorrowful name for a computer vulnerability that was discovered earlier in April, and news of its existence hit the world’s mainstream media within hours. The bug, which affects primarily any website or server which uses the popular OpenSSL encryption tool, exploits a small breach which has gone (largely) undiscovered for the past two years. Heartbleed, if used methodically, will allow hackers to steal data in relatively small packets, and the kind of information which can be extracted may include usernames, account numbers, passwords and security Q&As.

Within hours of the announcement of the potential threat Heartbleed posed, many companies went to work retooling security and downloading fixes. But most computer experts warned of two problems: repairs and upgrades could take days, even weeks, while major companies like Cisco Systems and Google worked out the complexities of a fix; and because the vulnerability has gone undetected for so long, savvy hackers may have already stolen important information.

Now the fear is that smart hackers have, over the last week, engaged in a mass exploitation of websites and services that have not adequately closed the breach. This could include thousands, even tens of thousands, of online services and retailers worldwide.

Indeed, Chinese hackers apparently wasted no time looking for opportunities in the hours after Heartbleed was revealed. According to Bloomberg, a “honeypot” computer and server at the University of Michigan was attacked on April 8 by a computer in China known by authorities to have been used previously in major hacking incidents. A honeypot is a computer workstation or file server designed to engage in a sting operation—luring potential criminals by leaving certain elements of security or firewalls open, and making sure that it maintains the illusion that it contains mountains of potentially important data. Security experts and programmers can then study the way the hackers enter, and use that data to develop stronger codes.

The computer at the University of Michigan was already poised for just such an attack, and the fact that it only took hours for the Chinese hacker to exploit the breach—using the Heartbleed vulnerability—indicates how swiftly some hackers went into action worldwide.

Around the globe, computer security analysts and tech experts have watched as hackers from China, Russia, Belarus, Nigeria and other locations moved quickly to exploit the opening. Major companies like AOL, Amazon, Yahoo, Travelocity and Google began making repairs immediately, but the concern among some of the computer experts we spoke to was for the thousands of less tech savvy companies who may not act quickly. This could include banks, credit unions, retailers, vendors of cash register systems, small or medium-sized internet or email providers, and online retailers.

Worse, Heartbleed can also be used to steal encryption keys from secure websites. An encryption key is typically a very long sequence of numbers, letters and symbols. A hacker who succeeds in grabbing that sequence intact—from say an internet provider, a bank, a newspaper’s website, or a major web retailer—would have almost unlimited access to not only company data, but also the information about all of its users or customers. This could include addresses, social security numbers, passwords, cell phone numbers, even health information and account balances.

Heartbleed also leaves no trace. “It’s like a crime scene without any evidence of a crime,” one computer expert (who asked not to be identified for the purposes of this article) said to us in an email, “there’s no broken glass, no fingerprints, no cookie crumbs, no DNA…nothing.” Information could have been stolen weeks or months ago by smart hackers already aware of the scope of the bug.

The vulnerabilities created by Heartbleed extend beyond traditional computer users and laptop users, and reach as well into the realm of tablets, smartphones, virtual privacy networks (VPNs) and a variety apps operating on mobile and handheld devices. This has caused consternation among security experts at Cisco Systems, Juniper Networks, Google, Microsoft, Yahoo and Verizon. The breach can be exploited in a variety of ways, and hackers are almost certainly working around the clock to develop codes to make the opening even more useful—on an even larger scale. Yahoo, which was a few hours too late to close the breach last week, admits that the data of some Yahoo users may have flowed in large quantities from its servers between Tuesday and Wednesday.

Still, some companies are optimistic that their own fixes and repairs will close the gap before any additional data can be stolen. Other major internet players are more circumspect, suggesting that there are no easy fixes, and that the ripple effects from this particular bug could last for months, possibly years.

A major Heartbleed-tracking website has been developed called “Is The Internet Fixed Yet?” Its main page, answering its own semi-rhetorical question, says simply NO in a large font superimposed on the special logo created for Heartbleed.


Related Thursday Review articles:

Heartbleed: Good News, Bad News; R. Alan Clanton; Thursday Review; April 11, 2014.

How Bloody Will Heartbleed Be?; Thursday Review; April 9, 2014.