Apr 9, 2014

Heartbleed reveals a big hole in Australia’s cybersecurity strategy

Now this is a fair dinkum threat to internet security: the Heartbleed bug threatens to impact thousands of websites and the everyday security of internet users. Smaller web users are most vulnerable.

Stilgherrian — Technology writer and broadcaster


Technology writer and broadcaster

Heartbleed, a newly discovered security flaw in the most widely used software for encrypting web traffic, is indeed a "big deal", as Fairfax and, well, everyone is reporting. It's a real problem that could affect every Australian's everyday security online in ways we're only beginning to understand. Yet our cybersecurity policies focus on esoteric threats like terrorist attacks. Wrong. More formally known as CVE-2014-0160, its catalogue number in the database of software security vulnerabilities now sponsored by the United States Department of Homeland Security, Heartbleed is a flaw in software called OpenSSL, which is used to encrypt internet traffic -- including, typically, the data flows between your computer and a secure website, or between the apps running on your smartphone and the remote computers that provide the services in question. Without going into the technical details, this flaw could allow an attacker to essentially insert a probe into a server that's running a vulnerable version of OpenSSL and suck out data that's meant to be secure -- including the private encryption keys and the digital certificates that are used to secure the data connections, usernames and passwords, the secure "cookies" used by internet banking servers or, indeed, anything else of interest -- all without being detected. "Make no mistake about it. The OpenSSL Heartbleed security hole is as serious for internet security as a stage four cancer diagnosis would be for you," wrote technology reporter Steven J Vaughan-Nichols. OpenSSL is used by default by the Apache and NGINX web servers, which between them run up to two-thirds of all "secure" websites on the internet. The results of a scan of the world's 10,000 most popular websites published at 3am AEST today revealed 1312 sites still vulnerable, including those of AirBnB, NASCAR, Gamespot, the Victorian state government and, ironically, that for OpenSSL itself. Here in Australia, security consultancy Hacklabs reported that as of 9pm AEST yesterday, around 10% of ASX 200 companies' websites were vulnerable. Hacklabs director Chris Gatford wrote:
"Some sites that were tested and found vulnerable earlier in the day appear to have been patched, which is great work by some busy sysadmins today."
Using tools that hackers have put online, it's easy to find plenty of vulnerable sites -- including the website of CERT Australia, the very organisation that's meant to co-ordinate information about threats to our digital infrastructure. Crikey understands that things are rather busy there today. But it's worse than that. While Heartbleed was only publicly revealed this week -- once the OpenSSL team had been given a chance to fix the problem and issue a new version of its software to major internet service providers -- the flaw has existed since 2012. If anyone else had independently discovered the problem during that time -- the US National Security Agency, say, or any number of intelligence agencies, or even criminal gangs -- they could have sucked out those encryption keys and passwords and been happily decoding any of the now not-so-secure data. And we'd never know. The researchers who discovered Heartbleed wrote:
"Bugs in single software or library come and go and are fixed by new versions. However, this bug has left large amount of private keys and other secrets exposed to the internet. Considering the long exposure, ease of exploitation and attacks leaving no trace, this exposure should be taken seriously."
Which brings me to what I think is the real problem. Big internet service providers have the technical clue and resources to respond to problems like Heartbleed and advise their customers of the potential risks. But mid-rank and small to medium-sized players online will have little idea what Heartbleed even means, let alone how to deal with it. Heartbleed is the internet equivalent to discovering that the front door locks on two-thirds of Australian businesses could have been opened with a pocket laser, without being detected, at any time in the past two years, because they all used the same internal mechanism. If that happened, we'd be seeing a recall program, advertising in mainstream media, perhaps a government-funded public awareness campaign, certainly front-page headlines and calls for assistance and for heads on spikes. Imagine the kerfuffle if two-thirds of all cars could be stolen at some time in the future unless their owners took specific action this week. If those sorts of things happened, the Attorney-General or maybe even the Prime Minister would be out there keeping us informed. After all, they're always on about the threat of terrorism, even though, as I wrote after Deputy Opposition Leader Tanya Plibersek's recent comments, terrorism is extremely rare. Heartbleed is a real security threat. So where are they today?

Free Trial

You've hit members-only content.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’s terms and conditions


Leave a comment

10 thoughts on “Heartbleed reveals a big hole in Australia’s cybersecurity strategy

  1. paddy

    It’s one scary situation.
    I noticed that The Mail Online (along with some much more reliable sources) had noted that the Commonwealth Bank of Australia was one of the vulnerable sites.
    I rang them this morning and attempted to find out if they’d patched their servers.
    Got no sense out of the frontline staff and asked to speak to the IT dept.
    No joy there either. (I guess they were *extremely* busy!)

    At this stage, I’m wondering if it’s worth changing my password? I’d certainly like to know that the bank’s patched it’s systems before I bother.
    (My acct has not been tampered with….yet.)

  2. gdt

    Heartbleed is the internet equivalent to discovering that the front door locks on two-thirds of Australian businesses could have been opened

    It took Lockwood a long time to add key bumping counter-measures to their 001 deadlatch, so don’t press that analogy too hard or you might just find that the government has no real care for the security of the populace, online or otherwise.

    As for the bug, being able to pull out 64KB of memory adjacent to the certificate is a shocker, especially given the usual “start SSL, then ask for password” flow of execution of many websites.

    Where the government would be useful is in bringing pressure to bear on embedded systems manufacturers. Have you seen even one update for a DSL router yet? Maybe the ACCC can apply pressure via the “merchantable quality” requirements or maybe the government needs to legislate. But if you asked which platforms would still be vulnerable to the bug in a year’s time then most of them will be embedded systems.

    I am not sure what I think about small business and computer security. There’s certainly a major issue there. But it’s not just bugs appearing out of the blue which defeats them. No business should be running Windows Xp today, but as I look around…

    It’s also interesting to explore the use of the bug to create a business opportunity, complete with nice promotional website.

  3. Chris Hartwell

    Far worse @gdt – no government, nor arm of it, should still be running WinXP. Alas…

  4. paddy

    Interesting podcast from Leo Laport & Steve Gibson on Heartbleed here.

  5. ggm

    Not wanting to minimize the risk, as I understand it, the hole has been shown to reveal some data. But only potentially to reveal the big risk data. So, an awful lot of COULD and MAY and POTENTIALLY has to be put back into some of the sentences.

    yes, it shares plaintext memory state across the network link. But, I haven’t yet seen a write up confirming this actually did share the plaintext/binary of the private SSL key of a server.

    the yahoo password/username leak is of course bad. But the ‘reissue your server cert’ thing is mostly (as I have read it) about POTENTIAL risk of keyloss. not actual, confirmed keyloss. I haven’t seen the private key of a server published online anywhere yet. I have seen claims and counterclaims about this. Some say they got their own X509 data. Google says they saw stale buffers only. Perhaps because Google runs popular sites the buffer leak is overwritten rapidly, on a quiet server, more data is preserved

  6. Simon Mansfield

    Just to give some perspective – it took me less than 30 second to fix each at risk server this morning.

    login as root
    at prompt type: yum update openssl
    then enter: “y” to accept update
    then enter: service httpd restart

    Compared to last months root compromise and last years php/mysql hijack and X-rated Trojan download – which both required a full OS reload and a whole host of follow on problems to fix – this was the easiest server security issue to deal with in a long time. As best of all – it did not cause any downtime or cost any money to fix.

    But yes, the 3 dollar starter kit for the Anon script kiddies that BK all to often lauds as tomorrow’s heroes – is going to be a hot seller in the coming days.

  7. Jimmy Harris

    @Paddy – I checked CBA this morning and they had been patched (at least the online URL I get sent to) according to http://filippo.io/Heartbleed/#www1.my.commbank.com.au.

  8. @chrispydog

    Where are they indeed?

    Risk perception is played like a Strad by our political overlords, who are themselves played for mugs by the spook class.

    We end up paying our taxes into this bottomless pit as it methodically hoovers up our privacy.

    At least the bad hackers don’t pretend to be ‘keep you safe’!

  9. @chrispydog


  10. Richard Frost

    In regards to ComBank they have said they have patched the bug and no customers were at risk – but by admitting to have patched the bug means they were exposed – so that would mean all customers now need to change their passwords. I would like to see ComBank take this abit more seriously and be more frank to the public about how exposed they were if they had to patch it – did they have an old OpenSSL version that was safe or a newer one that was broken? Their customers need to know.. Have a look at the comments in their response to their security alert here – its just a constant copy/paste of a PR mantra with no response to the questions being asked: https://www.commbank.com.au/blog/what-you-need-to-know-about-heartbleed.html

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details