Cyberwars: The Heartbleed Bug and Web Security

heartbleed-iconA little over two years ago, a tiny piece of code was introduced to the internet that contained a bug. This bug was known as Heartbleed, and in the two years it has taken for the world to recognize its existence, it has caused quite a few headaches. In addition to allowing cybercriminals to steal passwords and usernames from Yahoo, it has also allowed people to steal from online bank accounts, infiltrate governments institutions (such as Revenue Canada), and generally undermine confidence in the internet.

What’s more, in an age of cyberwarfare and domestic surveillance, its appearance would give conspiracy theorists a field day. And since it was first disclosed a month to the day ago, some rather interesting theories as to how the NSA and China have been exploiting this to spy on people have surfaced. But more on that later. First off, some explanation as to what Heartbleed is, where it came from, and how people can protect themselves from it, seems in order.

cyber_securityFirst off, Heartbleed is not a virus or a type of malware in the traditional sense, though it can be exploited by malware and cybercriminals to achieve similar results. Basically, it is a security bug or programming error in popular versions of OpenSSL, a software code that encrypts and protects the privacy of your password, banking information and any other sensitive data you provide in the course of checking your email or doing a little online banking.

Though it was only made public a month ago, the origins of the bug go back just over two years – to New Year’s Eve 2011, to be exact. It was at this time that Stephen Henson, one of the collaborators on the OpenSSL Project, received the code from Robin Seggelmann – a respected academic who’s an expert in internet protocols. Henson reviewed the code – an update for the OpenSSL internet security protocol — and by the time he and his colleagues were ringing in the New Year, he had added it to a software repository used by sites across the web.

Hackers-With-An-AgendaWhat’s interesting about the bug, which is named for the “heartbeat” part of the code that it affects, is that it is not a virus or piece of malware in the traditional sense. What it does is allow people the ability to read the memory of systems that are protected by the bug-affected code, which accounts for two-thirds of the internet. That way, cybercriminals can get the keys they need to decode and read the encrypted data they want.

The bug was independently discovered recently by Codenomicon – a Finnish web security firm – and Google Security researcher Neel Mehta. Since information about its discovery was disclosed on April 7th, 2014, The official name for the vulnerability is CVE-2014-0160.it is estimated that some 17 percent (around half a million) of the Internet’s secure web servers that were certified by trusted authorities have been made vulnerable.

cyberwarfare1Several institutions have also come forward in that time to declare that they were subject to attack. For instance, The Canada Revenue Agency that they were accessed through the exploit of the bug during a 6-hour period on April 8th and reported the theft of Social Insurance Numbers belonging to 900 taxpayers. When the attack was discovered, the agency shut down its web site and extended the taxpayer filing deadline from April 30 to May 5.

The agency also said it would provide anyone affected with credit protection services at no cost, and it appears that the guilty parties were apprehended. This was announced on April 16, when the RCMP claimed that they had charged an engineering student in relation to the theft with “unauthorized use of a computer” and “mischief in relation to data”. In another incident, the UK parenting site Mumsnet had several user accounts hijacked, and its CEO was impersonated.

nsa_aerialAnother consequence of the bug is the impetus it has given to conspiracy theorists who believe it may be part of a government-sanctioned ploy. Given recent revelations about the NSA’s extensive efforts to eavesdrop on internet activity and engage in cyberwarfare, this is hardly a surprise. Nor would it be the first time, as anyone who recalls the case made for the NIST SP800-90 Dual Ec Prng program – a pseudorandom number generator is used extensively in cryptography – acting as a “backdoor” for the NSA to exploit.

In that, and this latest bout of speculation, it is believed that the vulnerability in the encryption itself may have been intentionally created to allow spy agencies to steal the private keys that vulnerable web sites use to encrypt your traffic to them. And cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had “successfully cracked” much of the online encryption we rely on to secure email and other sensitive transactions and data.

Edward-Snowden-660x367According to documents the paper obtained from Snowden, GCHQ had specifically been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt traffic in near-real time; and in 2010, there was documentation that suggested that they might have succeeded. Although this was two years before the Heartbleed vulnerability existed, it does serve to highlight the agency’s efforts to get at encrypted traffic.

For some time now, security experts have speculated about whether the NSA cracked SSL communications; and if so, how the agency might have accomplished the feat. But now, the existence of Heartbleed raises the possibility that in some cases, the NSA might not have needed to crack SSL at all. Instead, it’s possible the agency simply used the vulnerability to obtain the private keys of web-based companies to decrypt their traffic.

hackers_securityThough security vulnerabilities come and go, this one is deemed catastrophic because it’s at the core of SSL, the encryption protocol trusted by so many to protect their data. And beyond abuse by government sources, the bug is also worrisome because it could possibly be used by hackers to steal usernames and passwords for sensitive services like banking, ecommerce, and email. In short, it empowers individual troublemakers everywhere by ensuring that the locks on our information can be exploited by anyone who knows how to do it.

Matt Blaze, a cryptographer and computer security professor at the University of Pennsylvania, claims that “It really is the worst and most widespread vulnerability in SSL that has come out.” The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug “catastrophic”, and Forbes cybersecurity columnist Joseph Steinberg event went as far as to say that:

Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.

opensslRegardless, Heartbleed does point to a much larger problem with the design of the internet. Some of its most important pieces are controlled by just a handful of people, many of whom aren’t paid well — or aren’t paid at all. In short, Heartbleed has shown that more oversight is needed to protect the internet’s underlying infrastructure. And the sad truth is that open source software — which underpins vast swathes of the net — has a serious sustainability problem.

Another problem is money, in that important projects just aren’t getting enough of it. Whereas well-known projects such as Linux, Mozilla, and the Apache web server enjoy hundreds of millions of dollars in annual funding, projects like the OpenSSL Software Foundation – which are forced to raise money for the project’s software development – have never raised more than $1 million in a year. To top it all off, there are issues when it comes to the open source ecosystem itself.

Cyber-WarTypically, projects start when developers need to fix a particular problem; and when they open source their solution, it’s instantly available to everyone. If the problem they address is common, the software can become wildly popular overnight. As a result, some projects never get the full attention from developers they deserve. Steve Marquess, one of the OpenSSL foundation’s partners, believes that part of the problem is that whereas people can see and touch their web browsers and Linux, they are out of touch with the cryptographic library.

In the end, the only real solutions is in informing the public. Since internet security affects us all, and the processes by which we secure our information is entrusted to too few hands, then the immediate solution is to widen the scope of inquiry and involvement. It also wouldn’t hurt to commit additional resources to the process of monitoring and securing the web, thereby ensuring that spy agencies and private individuals are not exercising too much or control over it, or able to do clandestine things with it.

In the meantime, the researchers from Codenomicon have set up a website with more detailed information. Click here to access it and see what you can do to protect yourself.

Sources: cbc.ca, wired.com, (2), heartbleed.com

Should We Be Afraid? A List for 2013

emerg_techIn a recent study, the John J. Reilly Center at University of Notre Dame published a rather list of possible threats that could be seen in the new year. The study, which was called “Emerging Ethical Dilemmas and Policy Issues in Science and Technology” sought to address all the likely threats people might face as a result of all developments and changes made of late, particularly in the fields of medical research, autonomous machines, 3D printing, Climate Change and enhancements.

The list contained eleven articles, presented in random order so people can assess what they think is the most important and vote accordingly. And of course, each one was detailed and sourced so as to ensure people understood the nature of the issue and where the information was obtained. They included:

1. Personalized Medicine:
dna_selfassemblyWithin the last ten years, the creation of fast, low-cost genetic sequencing has given the public direct access to genome sequencing and analysis, with little or no guidance from physicians or genetic counselors on how to process the information. Genetic testing may result in prevention and early detection of diseases and conditions, but may also create a new set of moral, legal, ethical, and policy issues surrounding the use of these tests. These include equal access, privacy, terms of use, accuracy, and the possibility of an age of eugenics.

2. Hacking medical devices:
pacemakerThough no reported incidents have taken place (yet), there is concern that wireless medical devices could prove vulnerable to hacking. The US Government Accountability Office recently released a report warning of this while Barnaby Jack – a hacker and director of embedded device security at IOActive Inc. – demonstrated the vulnerability of a pacemaker by breaching the security of the wireless device from his laptop and reprogramming it to deliver an 830-volt shock. Because many devices are programmed to allow doctors easy access in case reprogramming is necessary in an emergency, the design of many of these devices is not geared toward security.

3. Driverless zipcars:
googlecarIn three states – Nevada, Florida, and California – it is now legal for Google to operate its driverless cars. A human in the vehicle is still required, but not at the controls. Google also plans to marry this idea to the zipcar, fleets of automobiles shared by a group of users on an as-needed basis and sharing in costs. These fully automated zipcars will change the way people travel but also the entire urban/suburban landscape. And once it gets going, ethical questions surrounding access, oversight, legality and safety are naturally likely to emerge.

4. 3-D Printing:
AR-153D printing has astounded many scientists and researchers thanks to the sheer number of possibilities it has created for manufacturing. At the same time, there is concern that some usages might be unethical, illegal, and just plain dangerous. Take for example, recent effort by groups such as Distributed Defense, a group intent on using 3D printers to create “Wiki-weapons”, or the possibility that DNA assembling and bioprinting could yield infectious or dangerous agents.

5. Adaptation to Climate Change:
climatewarsThe effects of climate change are likely to be felt differently by different people’s around the world. Geography plays a role in susceptibility, but a nation’s respective level of development is also intrinsic to how its citizens are likely to adapt. What’s more, we need to address how we intend to manage and manipulate wild species and nature in order to preserve biodiversity.This warrants an ethical discussion, not to mention suggestions of how we will address it when it comes.

6. Counterfeit Pharmaceuticals:
Syringe___Spritze___by_F4U_DraconiXIn developing nations, where life saving drugs are most needed, low-quality and counterfeit pharmaceuticals are extremely common. Detecting such drugs requires the use of expensive equipment which is often unavailable, and expanding trade in pharmaceuticals is giving rise to the need to establish legal measures to combat foreign markets being flooded with cheap or ineffective knock-offs.

7. Autonomous Systems:
X-47BWar machines and other robotic systems are evolving to the point that they can do away with human controllers or oversight. In the coming decades, machines that can perform surgery, carry out airstrikes, diffuse bombs and even conduct research and development are likely to be created, giving rise to a myriad of ethical, safety and existential issues. Debate needs to be fostered on how this will effect us and what steps should be taken to ensure that the outcome is foreseeable and controllable.

8. Human-animal hybrids:
human animal hybrid
Is interspecies research the next frontier in understanding humanity and curing disease, or a slippery slope, rife with ethical dilemmas, toward creating new species? So far, scientists have kept experimentation with human-animal hybrids on the cellular level and have recieved support for their research goals. But to some, even modest experiments involving animal embryos and human stem cells are ethical violation. An examination of the long-term goals and potential consequences is arguably needed.

9. Wireless technology:
vortex-radio-waves-348x196Mobile devices, PDAs and wireless connectivity are having a profound effect in developed nations, with the rate of data usage doubling on an annual basis. As a result, telecommunications and government agencies are under intense pressure to regulate the radio frequency spectrum. The very way government and society does business, communicates, and conducts its most critical missions is changing rapidly. As such, a policy conversation is needed about how to make the most effective use of the precious radio spectrum, and to close the digital access divide for underdeveloped populations.

10. Data collection/privacy:
privacy1With all the data that is being transmitted on a daily basis, the issue of privacy is a major concern that is growing all the time. Considering the amount of personal information a person gives simply to participate in a social network, establish an email account, or install software to their computer, it is no surprise that hacking and identity theft are also major conerns. And now that data storage, microprocessors and cloud computing have become inexpensive and so widespread, a discussion on what kinds of information gathering and how quickly a person should be willing to surrender details about their life needs to be had.

11. Human enhancements:
transhumanismA tremendous amount of progress has been made in recent decades when it comes to prosthetic, neurological, pharmaceutical and therapeutic devices and methods. Naturally, there is warranted concern that progress in these fields will reach past addressing disabilities and restorative measures and venture into the realm of pure enhancement. With the line between biological and artificial being blurred, many are concerned that we may very well be entering into an era where the two are indistinguishable, and where cybernetic, biotechnological and other enhancements lead to a new form of competition where people must alter their bodies in order to maintain their jobs or avoid behind left behind.

Feel scared yet? Well you shouldn’t. The issue here is about remaining informed about possible threats, likely scenarios, and how we as people can address and deal with them now and later. If there’s one thing we should always keep in mind, it is that the future is always in the process of formation. What we do at any given time controls the shape of it and together we are always deciding what kind of world we want to live in. Things only change because all of us, either through action or inaction, allow them to. And if we want things to go a certain way, we need to be prepared to learn all we can about the causes, consequences, and likely outcomes of every scenario.

To view the whole report, follow the link below. And to vote on which issue you think is the most important, click here.

Source: reilly.nd.edu

Data Miners – Chapter 11

Wednesday morning.

It’s been another hasty ride to work to get in on time. Prad hasn’t showered since Monday and is feeling the grime encroach on him again. His head is reeling from the dual assault of purple haze and not enough sleep. Working through code this morning is difficult, proceeding at one keystroke per minute. He has no desire to be looking at TPS reports right now or anything in Macro format for that matter. The few hours of sleep and the buzz he got from his last joint have not cured the case of busy-brain he contracted last night. He was hoping the light of day might make things a bit more clear, but if anything, it’s made it worse. Whereas the busy-brain kept him from sleep last night, it is now keeping him from work.

By ten thirty, he examines how much work he’s actually done and decides it’s futile. He half-wishes he brought the book with him just so he could peruse it. Then he wouldn’t be so fixated on it! Somehow, the mind had a way of obsessing over the things that the body didn’t have immediate access to.

He needs a distraction. Minimizing his work in his task tray, he pulls up his email and checks to see if anyone has written to him since yesterday. Sure enough, they are a couple new hits in his Inbox. One from Sa’id, one from the adult dating site, and even one from Angie. A few spam mails between, more offers for downloadable software and movies. He’s too excited to move these to his spam folder and goes right for the one from Angie. The subject line says it all.

>To: Prad123@yahoo.com
>From: AngCpr@gmail.com
>Subject: Bit weird huh?

>Hey Prad. Sorry for the misunderstanding last night. Had no idea you got a copy of Germaine’s book too. I suppose I can understand your >confusion, it was a bit weird of him to just start reaching out like that, right from the blue? Anyway, no worries, Scott and I kind of got a kick >out of it. We were also a little worried after you left, figured you might have been embarrassed. One other thing, have you heard anything about >the dear old prof? I was kind of wondering if he was still with us. It might be nice to find him and say hi one last time.

>Anglmrk

Prad feels incredibly warm and giddy inside all of a sudden. He notices she didn’t use his first name, but oh the tenderness implied in that email! And the fact that she thought to write him the morning after! The time on it indicates that she wrote it less than an hour ago, most likely while bored at work. He reads it again and notices the mention of Scott, the royal we that follows in his wake too. He could live without that, but even the presence of that five letter fun stopper can’t spoil his mood now. He opens up the one from Sa’id next. A sense of fraternal duty tells him he should do this before composing a gushy response to the boss-lady.

The subject line of Sa’id’s email is quite telling. He notes instantly the diminished punctuation and grammar as well. Clearly a step down from Angie’s message.

>To: Prad123@yahoo.com
>From: SdN72@hotmail.com
>Subject: thanks dude!

>hey dude thanks again for the ride home last night woke up with a wicked hangover how bout you. My landlady sez i made terrible noise last >night must have been when i woke up to puke my guts up good time all around though. shit that things got a bit heavy there for some people >isn’t it hate to see our people not getting along but have you heard the news? The fecking feds just made a release bout the whole dangle thing >and say that they think the >whole thing was faked but wont say nothing about how they got them or where the leak came from. dumbasses >huh only make things worse for themselves! ps what was with that whole thing in Angie’s room why were in there second time around i mean I >know what you were doing the first time pervert! take care, can’t wait for five oclock to roll around

>Sandngrr

Now he feels momentarily sidetracked. He did not hear that, must have left the radio off in his car this morning, or had it tuned to music. He really can’t remember. The only other time he ever catches the news is on the web, or by word of mouth. And on both fronts he’s been a little out of touch, at least for the last twenty four hours.

The email from the dating site now looms in his field of vision like a burning bush. He desperately wants to check it, to see who took an interest in his profile and what they look like/have to say for themselves. But he doesn’t want to keep Angie waiting. A message from her in his Inbox is like finding her at his front door, or so he imagines. Leaving her waiting would be nothing short of criminal. Going back to Angie’s message, he hits the Reply button and begins composing. He does his best to emulate the proper style with which she emailed him, not to mention the tone he established last night. If acting mature gets her to email him, he’ll ride that pony to the ends of the earth!

To: AngCpr@gmail.com
Subject: Re: Bit weird huh?

Hey Angie. Don’t worry about it. It is I who should apologize for breaking in on you like that. I suppose these things happen. Sad to say, I can’t tell anything new about the prof. Last I heard, he got diagnosed and decided not to go the treatment route. Sad huh, but what can you do? One question though, are you absolutely sure he was the one who sent those books? I suppose it stands to reason, but why didn’t he send a real note or at least a return address? Oh well, talk to you soon. Take care, say hi to Scott.

Thaiwrrr

He grabs the mouse, his finger poised above the “Send” button. That’s when he realizes that his own inquiry is worth following up on. Not just idle chit chat, someone really ought to see if anyone else who was in their class or studied under Germaine at MIT also got copies of that book. He checks his address folder to see if he has any old email addresses. He’s still got the names of a few old friends there, but most of the addresses are old IST accounts. Prad shakes his head. Those accounts probably haven’t been used in over five years. Someday soon he must do a cleanup of his contact folder.

Luckily, he still has some hotmail and yahoo accounts for some people he used to hang out with: Lena, Mark, Josée, and Andrea. They were all pretty cool, but not too cool. They hung around with him, after all. If ever he were to be completely honest, he would admit that they were the people he fell in with because of his inability to get in with the truly cool crowd. Nevertheless, they are all MIT alumni and people who studied under Germaine. Surely they would be on his contact list if he wanted to start sending gift packages around. Clicking on the box beside each of their names, he adds them all to the recipient’s field before typing off a friendly generic message.

Hello all, sorry to drop in on you like this after such a long absence. But something’s come up with I feel concerns us all. I am, of course, referring to Professor Germaine’s illness. I’m sure you’ve all heard how our dear teacher is not long for this world. Last I heard, he’s got a few months tops before he… you know. Well, it may be that he’s decided to reach out to some of us before that happens. Angie and I both received copies of the millennial edition of Ghost in the Machine, the one with his foreword. We’re not sure, but we think he sent them to us. As fellow alumni sts, I was wondering if any of you got similar packages. If so, did it come with a note that contained more than just simple instructions? Angie and I would appreciate any info you have, as it would resolve this dilemma for us.

Thaiwrrr

He hits “Send” and moves onto his last message. It’s about time too. A response of this kind can only be exciting. His palms would be sweaty if he were a lesser man, or just a little cleaner. His pores are too clogged right now, luckily his armpits and crotch appear to be overcompensating.

>Prad123, you’ve received a profile message from Kittyhawk69:
>“Hi. Liked your profile, I think Asian guys are super hot! Come check >me out!”
>Follow the link below to see the full message and access their profile:

Prad immediately clicks on the site’s link to have a gander. Sure enough, for her pic, Kittyhawk69 lives up to the name. Her preferences send his heart into another tail spin: Hot chat, one on one, threesomes, toys and discreet relationship. His mind and libido begin the age old dance, the former insisting she’s a dude, the latter telling the former to shut up.

Yep, he agrees, too good to be true. But what harm can a little extended chat, via webcam to confirm she’s actually a woman, followed by a little meet and greet at a neutral site do?

You could end up with a disease, or finding a penis tucked under her ass! His mind tells him. But what has his mind done for him lately other than keep him in this dead end job? Another look at her preferences, cross-referenced with her other pics, ends the debate quickly.

Shut up, mind!