Heartbleed Bug: OpenSSL nightmare becomes reality, everyone might be eavesdropping over the Internet
A serious vulnerability or security flaw over the Internet has been detected, and security experts warn administrators, website owners and users that private data may have been compromised or may be compromised in the future if this remains unattended to.
The bug has been dubbed as Heartbleed Bug, which can be found on popular OpenSSL cryptographic software library. Said library provides privacy and security to millions of companies - such as Google, Facebook, Twitter - over the net for various applications such as instant messaging, email exchanges, web and virtual private networks. With the bug, anyone on the Internet can read the memory of these systems under the OpenSSL software's vulnerable versions.
"This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users," the Codenomicon Defensics, a research and security firm, said in a blog post.
Google's security team has discovered and reported the bug to the OpenSSL team, who, in turn, immediately sent out a security advisory on April 7.
"Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix," the advisory said.
Codenomicon's security engineers have also discovered it, while they were on the process of improving the SafeGuard feature in the company's security testing tools. After which it has reported the bug to NCSC-FI for vulnerability coordination and reporting as well to the OpenSSL team.
To test the extent and danger of the bug, Codenomicon have attacked some of its own services and looked at it from the perspective of an attacker.
"Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication," the security company said.
Codenomicon found out that the attack or the exploitation of the bug has left no trace of anything abnormal at all, which should be a cause for great worry. It advised that affected service providers should see this as a good opportunity to enhance security strength of the secret keys being used. It also assured that the cyber criminals' infrastructure and secrets have been exposed as well.
Codenomicon said the security flaw has been introduced in December 2011 to OpenSSL and has been out in the open since the OpenSSL release of 1.0.1 on March 14, 2012. It has been publicly revealed only on Monday, April 7, 2014 when the OpenSSL 1.0.1g has been released and has fixed the bug.
This now leaves everyone wondering if and when attackers have already been exploiting the flaw since 2011.
Ty Miller of Threat Intelligence, an Australian security firm, said there's no guarantee the vulnerability hasn't already been exploited in the past; so he has decided to purchase a new encryption certificate for his firm's website. He added that it could have been exploited already by organizations such as the U.S. National Security Agency (NSA).
"If the NSA had their hands on this, they have had two years to basically pull data out of every SSL-protected website or service, which gives them a pretty good chance of gaining access to a whole bunch of encrypted keys, usernames and passwords," he said.
Nik Cubrilovic, an independent Australian security consultant, also revealed that the Amazon Web Service runs a vulnerable version of OpenSSL, which, in turn, leads to vulnerability of any company built on that, with companies such as Adobe, LinkedIn, Netflix, Fairfax Media, News Corporation and Suncorp.
At least 117,000 web servers have been running the OpenSSL's vulnerable versions, excluding mail servers, based on data from hacker search engine Shodan.