• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Current News   »   How much damage did Heartbleed do?

How much damage did Heartbleed do?

  • Posted on:May 7, 2014
  • Posted in:Current News, Cybercrime, Data Privacy, Encryption, Industry News, Internet Protection, Internet Safety, Mobility, Privacy, Privacy & Policy, Vulnerabilities & Exploits, Web Threats
  • Posted by:
    Trend Micro
0

The Heartbleed vulnerability in the OpenSSL cryptographic library has dominated cybersecurity news in recent weeks, eclipsing even the much hyped retirement of Microsoft Windows XP. OpenSSL, an open source project staffed by only 10 individuals and run on a limited budget, is used to secure millions of servers, ensuring the integrity of email, e-commerce, online banking and other properties, in many cases for multi-billion dollar companies. Heartbleed obviously has wide-reaching implications, not only for the integrity of the Web, but also for mobile apps – but how much damage did it actually do prior to its discovery and patching?

Heartbleed: A brief refresher
Heartbleed takes advantage of an extension that was added to OpenSSL in December 2011. Called Heartbeat, this feature is meant to extend the life of TLS sessions through a series of verification mechanisms, or heartbeat messages. Properly implemented Heartbeat should facilitate conservation of network resources by reducing the need for session renegotiation.

However, Heartbleed enables leaks from servers using Heartbeat. An attacker can read 64KB of memory at a time without the action being logged by the server and ultimately obtain information that was supposed to have been safe from prying eyes.

"This small chunk of memory could contain user-critical personal information – private keys, usernames, passwords (in cleartext in a lot of cases), credit card information and confidential documents for example," explained Pawan Kinger, Trend Micro director of Deep Security Labs. "The attacker could request this chunk again and again in order to get as much information as they want – and this bug could be exploited by anyone on the Internet, anywhere."

The scope and severity of Heartbleed was debated in the days following its discovery in early April. In an April 11 blog post, CloudFlare's Nick Sullivan stated that, while not impossible, it would be extremely difficult for anyone to make off with a server's private keys by way of Heartbleed. CloudFlare soon issued a challenge to the cybersecurity community, asking them to sniff-out the keys from a demo server. A contributor to the Node.js framework successfully pulled it off while a Cambridge University Ph.D. candidate similarly proved that he could recover RSA private keys.

For end users, the tangible impact from Heartbleed's discovery has been the call to reset all Internet passwords, so as to be safe in the event that someone fished out a working one via server leak. Private key theft, though, is the worst case scenario, since in absence of perfect forward secrecy, the attacker could decrypt all previous traffic and conduct ongoing man-in-the-middle attacks against all future sessions.

How damaging was Heartbleed?
Heartbleed affects only a few versions of OpenSSL, yet it has spurred widespread action from Web companies reliant on at-risk servers. A Trend Micro scan of selected Top Level Domains around the world found that 5 percent of them were vulnerable to Heartbleed, consisting mostly of .kr and .jp domains.

Assessments from other security firms have returned similar results, with a small number of prominent Web properties still in danger. Most have patch their vulnerabilities, however. Targets such as Google, Facebook and Tumblr have done so, while still advising users to change their passwords.

The issue has also spread to mobile devices. Android apps, for instance, may connect to servers that could be affected by Heartbleed. While not dedicated browsing tools such as Google Chrome or Apple Safari, some of these apps have their own internal browsers, blurring the line between mobile software and the Web. That risk is worth noting, not just for the OpenSSL exploit but for future considerations about overall Internet security.

In early April, Trend Micro looked at almost 400,000 apps in Google Play, finding that 1,300 of them connected to at-risk servers. Examples spanned categories such as banking, shopping and payments. The bundled OpenSSL library in Android 4.1.1 was also initially found to be susceptible to Heartbleed, opening up the possibility of an attack on client devices from the server side.

Looking ahead: Heartbleed, the Internet of Everything and the inevitability of software bugs
These weaknesses are all addressable, and the speed with which companies and security experts have acted has been encouraging. Still, the community will have to stay on its toes to protect the emerging Internet of Everything from OpenSSL and future bugs.

Underscoring the risk, Berkeley computer scientist Nicholas Weaver recently stated that Western Digital's My Cloud appliance is just one example of the wide variety of endpoints vulnerable to OpenSSL. Others include printers, video conferencing systems, routers and storage servers. The scale of the threat is daunting, but keeping firmware and software up-to-date can mitigate much of the risk.

"If they don't auto-update, things will be bad bad bad," Weaver told Wired. "If they do auto-update, things will resolve themselves."

At the end of the day, bugs such as Heartbleed are unfortunately inevitable, even with many trained eyes looking at the code in question. Writing for Slate, software engineer David Auerbach explained that the flaw in OpenSSL was due to an all too common issue in the C programming language, with the faulty code contributed by someone who was not part of the project's official staff. He wished that the library could be rewritten in a more secure language, while noting that such a move is unrealistic at this time.

"[U]nknown bugs are a reality, not a hypothetical, and a large part of the work of any security engineer is in minimizing the possibility of them happening," argued Auerbach. "Heartbleed was unusually widespread and unusually severe, but it is hardly one of a kind."

Moreover, Heartbleed is an opportunity to recalibrate the security community's approach and devote more attention to policing widely used open source libraries. After all, Heartbleed follows close on the heels of the GnuTLS exploit. Educating users on password security best practices and the urgency of applying updates automatically (or as soon as possible) will be instrumental in minimizing the impact of Heartbleed and its successors.

Related posts:

  1. Feeling the effects of Heartbleed: What it is and how to prevent vulnerabilities
  2. Your Source for all Things Heartbleed
  3. Heartbleed – One Week In
  4. Flaws in OAuth, OpenID implementations reveal lack of incentives to improve Web Security

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.