Heartbleed bug: scale and danger still unknown

Mumsnet is among the first websites to come forward and say user information has been hacked as a result of the Heartbleed bug, while the Canada Revenue Agency has revealed the social insurance numbers of around 900 taxpayers were removed from the system because of the vulnerability.

Heartbleed.com (CC0 1.0)

Heartbleed.com (CC0 1.0)

Potentially two thirds of websites have been affected by the Heartbleed bug, which leaves users of these sites vulnerable to having sensitive information stolen such as private keys, username and passwords or contents of encrypted traffic.

The Heartbleed bug affects web systems that use the OpenSSL 1.0.1 software through to 1.0.1f version. It was discovered by security engineers at Codenomicon and Google Security in April and had gone undetected for two years.

Popular websites such as Facebook and Yahoo have been impacted. Both have since announced patches to fix the problem. There also could be millions of smartphones that use Google’s Android 4.1.1 device affected by the bug. Google has been issuing patching information to its partners.

The issue has affected websites globally. In the U.S., the Federal Financial Institutions Examination Council (FFIEC) put out a note to say it was addressing the vulnerabilities.

Jason Steer, director of Technology Strategy at FireEye, says: “The impact of this may take weeks or even months to really play out fully and many organisations will be doing OpenSSL checks for months and years to come. It just goes to show that despite all the testing, documentation and code checks that things get missed. What other surprises are there in software and hardware?

“Open SSL is so ubiquitous today that it is hard to think of where it is not used for secure transmission of information, software updates. Open SSL is found in so many things, virtual private networks, email encryption, instant messaging, Voice over Internet Protocol (VOIP) and many others.”

Although not everyone thinks hacking has been widespread. David Rawle (inset), chief technology officer at Bytes Security Partnerships, says: “If there had been mass targeting of user name and passwords because of this vulnerability, it would have been spotted a lot sooner.”

Steven Murdoch, researcher in the Security Group at the University of Cambridge, says: “The attacker does not get to choose what it gets and it is a bit unpredictable on what it is going to get. But it is going to be in memory which was previously used by the same program that was using Open SSL.”

Advice security companies have been giving to those impacted by the bug is to only change your password once you receive confirmation that the system has been fixed by the company affected. Rawle says: “If you change your password for something that has not yet been fixed tomorrow someone could take your password and use that, particularly now this vulnerability is known, the number of people who will be trying to utilise it to get data will be going through the roof.

“I would advise people to go to the site directly and be happy that they have changed their system before you change your password.

“If any of the companies you are using give you the choice of doing two factors of identification take this as an opportunity to turn it on.”

The OpenSSL Project is managed by a worldwide community of volunteers and the Heartbleed bug throws up the debate whether there is enough money being poured into the scheme which impacts such a vast amount of websites.

Daniel Page, lecturer at the University of Bristol, says: “These sorts of things are occurring with a greater frequency. OpenSSL itself you could argue there should be more investment in that project in particular, because it is so important. There should be more investment in expertise on a national level to cope with these things.”

A 19-year-old Canadian has since been arrested in regard to the hacking of the Canadian Revenue Agency insurance numbers.