Heartbleed Will Likely Not Go Away Soon
April 14, 2014

Heartbleed Issue Likely To Linger For Quite Some Time

Peter Suciu for redOrbit.com - Your Universe Online

Sixteen years ago it was almost impossible to escape Celine Dion's catchy – but to many annoying – song “My Heart Will Go On” – and today it is the Heartbleed that will likely go on. It has the potential to be not only annoying, but extremely dangerous.

Reports late last week and over the weekend also suggest that the National Security Agency not only knew about Heartbleed, a serious vulnerability in the popular OpenSSL cryptographic software library, but likely exploited it as well.

The Wall Street Journal reported on Monday morning that the NSA had compiled a list of software bugs and holes known as “zero days,” which the spy agency reportedly used to exploit and even gain access to secure networks before these were patched.

The paper added that in December a presidential advisory committee had recommended that the administration review its process in how to deal with such vulnerabilities. The report further urged the government – and agencies such as the NSA – not to subvert or undermine encryption standards or commercial software. However, the WSJ also noted that people familiar with the matter said the push to disclose and address such vulnerabilities was a major point of contention in the intelligence community. Yet the NSA said on Friday this was not the case.

“When Federal agencies discover a new vulnerability in commercial and open source software — a so-called ‘zero day’ vulnerability because the developers of the vulnerable software have had zero days to fix it — it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose,” National Security Council spokeswoman Caitlin Hayden said as reported by the WSJ. “Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”

As for Heartbleed it will likely go on, and James Lyne writing for Forbes on Monday explained some of the complexity with this particular vulnerability.

“This is a software defect (not a virus) and unfortunately there is, and likely never will be a state of 100% security. Humans make mistakes and technology is far from infallible,” Lyne wrote. “There are lots of tools and processes that would have turned up such a fault very quickly, yet it went unnoticed for an extended period of time and was adopted in to a staggeringly large number of places. Indeed, given the nature of the OpenSSL software (providing crypto services) and the very widespread use I would genuinely argue that this software should be on the ‘critical national infrastructure’ list for most nations around the world.”

ReadWriteWeb also offered a recap of the “myths” surrounding Heartbleed. Among the seven myths debunked is that the OpenSSL bug is not a virus, but rather “It’s a flaw, a simple coding error in the open-source encryption protocol used by many websites and other servers.”

Other myths of note include that it won’t only affect websites and that it could provide a security vulnerability to phones, laptops, and other devices that “jump online or connect to other networks,” and that these are at risk as well.

“Typically on the client, the memory is allocated just to that process that’s running. So you don’t necessarily get access to all the processes,” David Chartier, CEO of Codenomicon — the Finnish security firm that co-discovered Heartbleed — told ReadWrite. “[But] you can still leak contents of emails, documents and logins.”

However, the posting added that hackers probably can’t use it to remotely control a user’s phone, and that “Windows XP users are screwed because Microsoft abandoned them,” because the company does not use OpenSSL.

ReadWriteWeb added that no major banks are susceptible to Heartbleed but American Banker reported that the Federal Financial Institutions Examination Council did suggest financial institutions should incorporate patches on systems and services.

Just as the Dion song stuck around long past its welcome, so too could Heartbleed. On Monday CNET reported that Akamai, the network provider that handles nearly one-third of the Internet's traffic, had released a patch on Friday that should have protected from this web threat but it now appears the patch had a bug.

“Over the weekend, an independent security researcher contacted Akamai about some defects in the software we use for memory allocation around SSL keys,” Andy Ellis, chief security officer at Akamai posted late Sunday. “We discussed Friday how we believed this had provided our SSL keys with protection against Heartbleed and had contributed the code back to the community. The code that we had contributed back was, as we noted, not a full patch, but would be a starting point for improving the openssl codebase."

“In short: we had a bug,” Ellis added.” An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others. In particular, we only try to protect d, p, and q, but not d mod (p-1), d mod (q-1), or q^{-1} mod p. These intermediate extra values (the Chinese Remainder Theorem, or CRT, values) are calculated at key-generation time as a performance improvement. As the CRT values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability. Given any CRT value, it is possible to calculate all 6 critical values.”