Heartbleed, a newly discovered security flaw in the most widely used software for encrypting web traffic, is indeed a “big deal”, as Fairfax and, well, everyone is reporting. It’s a real problem that could affect every Australian’s everyday security online in ways we’re only beginning to understand. Yet our cybersecurity policies focus on esoteric threats like terrorist attacks. Wrong.
More formally known as CVE-2014-0160, its catalogue number in the database of software security vulnerabilities now sponsored by the United States Department of Homeland Security, Heartbleed is a flaw in software called OpenSSL, which is used to encrypt internet traffic — including, typically, the data flows between your computer and a secure website, or between the apps running on your smartphone and the remote computers that provide the services in question.
Without going into the technical details, this flaw could allow an attacker to essentially insert a probe into a server that’s running a vulnerable version of OpenSSL and suck out data that’s meant to be secure — including the private encryption keys and the digital certificates that are used to secure the data connections, usernames and passwords, the secure “cookies” used by internet banking servers or, indeed, anything else of interest — all without being detected.
“Make no mistake about it. The OpenSSL Heartbleed security hole is as serious for internet security as a stage four cancer diagnosis would be for you,” wrote technology reporter Steven J Vaughan-Nichols. OpenSSL is used by default by the Apache and NGINX web servers, which between them run up to two-thirds of all “secure” websites on the internet.
The results of a scan of the world’s 10,000 most popular websites published at 3am AEST today revealed 1312 sites still vulnerable, including those of AirBnB, NASCAR, Gamespot, the Victorian state government and, ironically, that for OpenSSL itself.
Here in Australia, security consultancy Hacklabs reported that as of 9pm AEST yesterday, around 10% of ASX 200 companies’ websites were vulnerable. Hacklabs director Chris Gatford wrote:
“Some sites that were tested and found vulnerable earlier in the day appear to have been patched, which is great work by some busy sysadmins today.”
Using tools that hackers have put online, it’s easy to find plenty of vulnerable sites — including the website of CERT Australia, the very organisation that’s meant to co-ordinate information about threats to our digital infrastructure. Crikey understands that things are rather busy there today.
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
But it’s worse than that.
While Heartbleed was only publicly revealed this week — once the OpenSSL team had been given a chance to fix the problem and issue a new version of its software to major internet service providers — the flaw has existed since 2012. If anyone else had independently discovered the problem during that time — the US National Security Agency, say, or any number of intelligence agencies, or even criminal gangs — they could have sucked out those encryption keys and passwords and been happily decoding any of the now not-so-secure data. And we’d never know.
The researchers who discovered Heartbleed wrote:
“Bugs in single software or library come and go and are fixed by new versions. However, this bug has left large amount of private keys and other secrets exposed to the internet. Considering the long exposure, ease of exploitation and attacks leaving no trace, this exposure should be taken seriously.”
Which brings me to what I think is the real problem. Big internet service providers have the technical clue and resources to respond to problems like Heartbleed and advise their customers of the potential risks. But mid-rank and small to medium-sized players online will have little idea what Heartbleed even means, let alone how to deal with it.
Heartbleed is the internet equivalent to discovering that the front door locks on two-thirds of Australian businesses could have been opened with a pocket laser, without being detected, at any time in the past two years, because they all used the same internal mechanism. If that happened, we’d be seeing a recall program, advertising in mainstream media, perhaps a government-funded public awareness campaign, certainly front-page headlines and calls for assistance and for heads on spikes.
Imagine the kerfuffle if two-thirds of all cars could be stolen at some time in the future unless their owners took specific action this week.
If those sorts of things happened, the Attorney-General or maybe even the Prime Minister would be out there keeping us informed. After all, they’re always on about the threat of terrorism, even though, as I wrote after Deputy Opposition Leader Tanya Plibersek’s recent comments, terrorism is extremely rare. Heartbleed is a real security threat. So where are they today?