Sabtu, 19 April 2014

Heartbleed Attack History...


Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol. This vulnerability results from a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension, the heartbeat being why the vulnerability got its name. 

A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug "catastrophic". Forbes cybersecurity columnist Joseph Steinberg wrote, "Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."

A United Kingdom Cabinet spokesman recommended that "People should take advice on changing passwords from the websites they use... Most websites have corrected the bug and are best placed to advise what action, if any, people need to take." On the day of disclosure, the Tor Project advised anyone seeking "strong anonymity or privacy on the Internet" to "stay away from the Internet entirely for the next few days while things settle."

Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160. The federal Canadian Cyber Incident Response Centre issued a security bulletin advising system administrators about the bug.


History.

The Heartbeat Extension for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols is a proposed standard specified by RFC 6520, published in February 2012. It provides a way to test and keep alive secure communication links without the need to renegotiate the connection each time.

In 2011, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL, his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation, and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.

According to Mark J. Cox of OpenSSL, Neel Mehta of Google's security team reported Heartbleed on April 1, 2014. The bug entailed a severe memory handling error in the implementation of the Transport Layer Security Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat.

The bug was named by an engineer at the firm Codenomicon, a Finnish cybersecurity company, which also created the bleeding heart logo, and launched the domain Heartbleed.com to explain the bug to the public. According to Codenomicon, Neel Mehta first reported the bug to OpenSSL, but both Google and Codenomicon discovered it independently. Codenomicon reports April 3 as their date of discovery of the bug and as their date of notification of NCSC-FI (formerly known as CERT-FI) for vulnerability coordination. Mehta also congratulated Codenomicon, without going into detail.

The Sydney Morning Herald published a timeline of the discovery on April 15, which shows that some of the organizations were able to patch against the bug before its public disclosure. In some cases, it is not clear how they found out.

On March 21, 2014 Bodo Moeller and Adam Langley of Google wrote a patch that fixed the bug. The date of the patch is known from Red Hat's issue tracker. The next chronological date available from the public evidence is the claim by performance and security company CloudFlare that they fixed the flaw on their systems on March 31, 2014.

On April 10, "Cisco Systems and Juniper Networks, two of the biggest creators of Internet equipment, announced on Thursday that their products had been affected by the Heartbleed bug. Routers, firewalls and switches ... have all likely been affected by the bug, leaving your personal information at risk of being stolen by hackers."

The Canada Revenue Agency reported the theft of Social Insurance Numbers belonging to 900 taxpayers, and stated that they were accessed through an exploit of the bug during a 6-hour period on April 8. When the attack was discovered, the agency shut down its web site and extended the taxpayer filing deadline from April 30 to May 5. The agency said it will provide anyone affected with credit protection services at no cost. On April 16, the RCMP announced they had charged an Engineering student in relation to the theft with "unauthorized use of a computer" and "mischief in relation to data".

In another incident, the UK parenting site Mumsnet had several user accounts hijacked, and its CEO was impersonated. The site published an explanation of the incident.

On April 12, at least two independent researchers were able to steal private keys using this attack from an experimental server intentionally set up for that purpose by CloudFlare.

It was reported by a professor at University of Michigan that hackers from China attempted to exploit Heartbleed on April 16, 2014 to enter the honeypot systems created for research purposes.


Claims of possible knowledge and exploitation prior to disclosure.

Many major web sites patched or disabled the bug within days of its announcement, but it is unclear whether potential attackers were aware of it earlier and to what extent it was exploited. Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement. Errata Security has partially rejected this hypothesis.

According to Bloomberg News, two unnamed insider sources informed it that the United States National Security Agency was aware of the flaw since shortly after its introduction, but chose to keep it secret, instead of reporting it, in order to exploit it for their own purposes. The NSA has denied this claim, as has Richard A. Clarke. Clarke, who was part of an advisory panel that reviewed the United State's electronic surveillance policy, told Reuters on 11 April 2014 that the NSA had not known of Heartbleed.

Source : http://en.wikipedia.org.

Tidak ada komentar:

Posting Komentar