The world woke up on the 7th of April with a major security threat to the Internet, as we know it and has already been touted as one of the biggest security threats the Internet has ever seen. At first many thought it was the advent of a new soap opera owing to its cunning name and very likeable logo, it took a few hours for many to realize the harm that this bug which was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security had done. And to say the bug that almost won the hearts of many actually had them bleed.

Officially referenced by the code CVE-2014-0160, the Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). Heart bleed is a tiny but serious flaw in open-source software called OpenSSL, which is used by many websites to encrypt communications between your computer and themselves. It means the computers that serve your online banking pages or webmail respond, when requested, with a longer string of information than they ought to. An attacker can pull about 64,000 characters out of the working memory of the server that the user connects to, supposedly securely. This can contain passwords, email addresses, or worse, the private keys which secure the entire connection. When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. With that background, everyone is likely to have been affected either directly or indirectly, your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. The bug has affected many popular websites and services, like Gmail, Facebook even the US Government and many other social networks and email servers across the world and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.

The heart bleed bug has sparked of many concerns and threats due to its unique nature Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.

Here in Ghana

Here in Ghana it has sparked off issues of whether its time for us to consider having an agency keep out internet gateways, It was surprising how since the discovery of the bug no government agency (NITA, NCA etc) came out to announce the threat or even advice or assure Ghanaians that we have been hit or unhit by the bug and in what ways. it is unacceptable how we take matters of data security lightly here in our part of the world meanwhile Government through various agencies (NHIS, Passport registry etc) keeps collecting sensitive data (biometric and demographic) from the masses for databases that cannot assure high level security platforms. We may not have been hit heavily as a country by the bug (though we may have but may be ignorant for lack of a probing team) but moving ahead, Government needs to spend more expertise in research and internet gateway keepers if we are truly serious about the internet.

In Canada the bug seriously hit the Canada Revenue Agency, 900 Canadians have had their Social Insurance Numbers stolen from the Canada Revenue Agency (CRA) website, as a result of the Heartbleed security bug. The Agency said that it became aware of the breach while updating its systems to patch the Heartbleed vulnerability. The theft reportedly happened over a six-hour period after the security flaw was discovered, and before the Agency blocked public access to its online services on Wednesday 9 April, to fix the bug

So should you reset all your passwords? Many websites are suggesting people take time out to do just that. But there is little point in doing so unless you know for sure that your web service provider has patched the broken OpenSSL variant. Since the bug was announced, attackers and hackers are testing just how good a data source the exploit can be for stealing usernames, passwords and crypto keys. Your new passwords will be just as vulnerable if the system has not been patched properly. You can test whether a website’s server is still vulnerable by using one of the many free tools that have been created. One easy-to-use can be found here filippo.io/Heartbleed/.

Ultimate of all, it is important as a web user that:

  1. You change all your social media passwords the ones you need to change now are: Facebook, Tumblr, Google, Yahoo, Gmail, Yahoo mail, Amazon Web Services, Dropbox, SoundCloud etc
  2. All your Email passwords especially ones that have credit card details
  3. If you feel your credit card is too vulnerable, contact your bank immediately
  4. Wait for an official announcement from any secure website or service that you normally use regarding a security update.
  5. After you’ve confirmed that the site or service has installed a security update, change your passwords.
  6. For at least the next week, keep an eye on any of your sensitive online accounts (banking, webmail) for suspicious activity.

NB: You would probably have to change your password twice; one immediately and the other when your service provider alerts you that an upgrade of the openSSL has been successful

If you are a tech administrator running online servers

  1. Upgrade OpenSSL
  2. Revoke ALL SSL certificates
  3. Regenerate all SSL keys
  4. Get new certs from SSL vendor
Tags: , ,