April 18, 2014
Experts Say Patch Is Coming For Heartbleed: Attacks Continue
Peter Suciu for redOrbit.com - Your Universe Online
Since first being discovered last week the Heartbleed bug is being patched, but sites affected by the security flaw are reportedly finding that it is taking longer than anticipated. At the same time reports of attacks blamed on the bug have been increasing.
On Monday Reuters reported that Canada’s tax-collection agency had been a victim of a cyber attack that exploited the bug, and that private information of about 900 people had been compromised. The agency appeared to be the first to report that it was a victim of an attack that exploited a flaw in software known as OpenSSL, which is used on about two-thirds of websites to secure data as it travels throughout the Internet.
Time magazine reported on Friday that authorities in Canada also made what appeared to be the first arrest related to the Heartbleed encryption bug. A 19-year old alleged Heartbleed hacker named Stephen Arthuro Solis-Reyes was arrested by Canadian Mounties at his London, Ontario home this week.
Solis-Reyes may have been the first hacker to exploit the newly discovered bug, but he is far from the only one. The BBC also reported this week that Mumset, a leading UK site for parents with about 1.5 million registered members, was also apparently the victim of the security flaw. The BBC reported that cyber thieves may have obtained passwords and personal messages before it patched the site.
As the “clean up” begins some users may find the Internet to be sluggish at times. The severity of the bug’s damage has continued to mount, and now hundreds of thousands of websites may need to repair their encryption at the same time.
“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council, told the Washington Post this week. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”
While Google, Facebook, DropBox and other high profile sites have been patched, the BBC reported that there could be as many as 500,000 websites that could still be vulnerable. This could include a large number of systems associated with the Tor anonymizing network, which remain un-patched and thus highly vulnerable to an attack. This remains true 10 days after Tor noted that a problem was discovered via a blog post on April 7.
It could also get worse before it gets better.
“At this point experts are looking for ways to patch Heartbleed as soon as possible, before malicious actors heavily exploit it. Some advisories are telling organizations to ‘assume the worst has already happened,’ preparing teams to move to detection and post-breach response plans,” said cyber security specialist Mark Gazit, CEO of ThetaRay, via an email to redOrbit. “The immediate thought on everyone’s mind is that when there is a bug, there is a patch, and the first thing to do is apply it to stop the bleeding. Although this may appear to be a solution and a way of allaying the panic, applying patches to the many vulnerable platforms can take at least six to twelve months. Months will pass before vulnerable vendors, and all levels of end users, return to safe OpenSSL-dependent activity.
“Unfortunately, in the case at hand, while patching will offer some repair, the gloomy forecast is that Heartbleed will live on, well after patches are issued and applied,” Gazit added. “The bug is so far-reaching into internal networks, server communications, and products that were already shipped out to end users that it will take a very long time until it is completely fixed. While this process takes its course, the even more troubling thought on everybody’s mind is how malicious actors are planning to exploit this flaw and cause maximum damage while they still have the opportunity.”