Cyberwars: The Heartbleed Bug and Web Security

heartbleed-iconA little over two years ago, a tiny piece of code was introduced to the internet that contained a bug. This bug was known as Heartbleed, and in the two years it has taken for the world to recognize its existence, it has caused quite a few headaches. In addition to allowing cybercriminals to steal passwords and usernames from Yahoo, it has also allowed people to steal from online bank accounts, infiltrate governments institutions (such as Revenue Canada), and generally undermine confidence in the internet.

What’s more, in an age of cyberwarfare and domestic surveillance, its appearance would give conspiracy theorists a field day. And since it was first disclosed a month to the day ago, some rather interesting theories as to how the NSA and China have been exploiting this to spy on people have surfaced. But more on that later. First off, some explanation as to what Heartbleed is, where it came from, and how people can protect themselves from it, seems in order.

cyber_securityFirst off, Heartbleed is not a virus or a type of malware in the traditional sense, though it can be exploited by malware and cybercriminals to achieve similar results. Basically, it is a security bug or programming error in popular versions of OpenSSL, a software code that encrypts and protects the privacy of your password, banking information and any other sensitive data you provide in the course of checking your email or doing a little online banking.

Though it was only made public a month ago, the origins of the bug go back just over two years – to New Year’s Eve 2011, to be exact. It was at this time that Stephen Henson, one of the collaborators on the OpenSSL Project, received the code from Robin Seggelmann – a respected academic who’s an expert in internet protocols. Henson reviewed the code – an update for the OpenSSL internet security protocol — and by the time he and his colleagues were ringing in the New Year, he had added it to a software repository used by sites across the web.

Hackers-With-An-AgendaWhat’s interesting about the bug, which is named for the “heartbeat” part of the code that it affects, is that it is not a virus or piece of malware in the traditional sense. What it does is allow people the ability to read the memory of systems that are protected by the bug-affected code, which accounts for two-thirds of the internet. That way, cybercriminals can get the keys they need to decode and read the encrypted data they want.

The bug was independently discovered recently by Codenomicon – a Finnish web security firm – and Google Security researcher Neel Mehta. Since information about its discovery was disclosed on April 7th, 2014, The official name for the vulnerability is CVE-2014-0160.it is estimated that some 17 percent (around half a million) of the Internet’s secure web servers that were certified by trusted authorities have been made vulnerable.

cyberwarfare1Several institutions have also come forward in that time to declare that they were subject to attack. For instance, The Canada Revenue Agency that they were accessed through the exploit of the bug during a 6-hour period on April 8th and reported the theft of Social Insurance Numbers belonging to 900 taxpayers. When the attack was discovered, the agency shut down its web site and extended the taxpayer filing deadline from April 30 to May 5.

The agency also said it would provide anyone affected with credit protection services at no cost, and it appears that the guilty parties were apprehended. This was announced on April 16, when the RCMP claimed that they had charged an engineering student in relation to the theft with “unauthorized use of a computer” and “mischief in relation to data”. In another incident, the UK parenting site Mumsnet had several user accounts hijacked, and its CEO was impersonated.

nsa_aerialAnother consequence of the bug is the impetus it has given to conspiracy theorists who believe it may be part of a government-sanctioned ploy. Given recent revelations about the NSA’s extensive efforts to eavesdrop on internet activity and engage in cyberwarfare, this is hardly a surprise. Nor would it be the first time, as anyone who recalls the case made for the NIST SP800-90 Dual Ec Prng program – a pseudorandom number generator is used extensively in cryptography – acting as a “backdoor” for the NSA to exploit.

In that, and this latest bout of speculation, it is believed that the vulnerability in the encryption itself may have been intentionally created to allow spy agencies to steal the private keys that vulnerable web sites use to encrypt your traffic to them. And cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had “successfully cracked” much of the online encryption we rely on to secure email and other sensitive transactions and data.

Edward-Snowden-660x367According to documents the paper obtained from Snowden, GCHQ had specifically been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt traffic in near-real time; and in 2010, there was documentation that suggested that they might have succeeded. Although this was two years before the Heartbleed vulnerability existed, it does serve to highlight the agency’s efforts to get at encrypted traffic.

For some time now, security experts have speculated about whether the NSA cracked SSL communications; and if so, how the agency might have accomplished the feat. But now, the existence of Heartbleed raises the possibility that in some cases, the NSA might not have needed to crack SSL at all. Instead, it’s possible the agency simply used the vulnerability to obtain the private keys of web-based companies to decrypt their traffic.

hackers_securityThough security vulnerabilities come and go, this one is deemed catastrophic because it’s at the core of SSL, the encryption protocol trusted by so many to protect their data. And beyond abuse by government sources, the bug is also worrisome because it could possibly be used by hackers to steal usernames and passwords for sensitive services like banking, ecommerce, and email. In short, it empowers individual troublemakers everywhere by ensuring that the locks on our information can be exploited by anyone who knows how to do it.

Matt Blaze, a cryptographer and computer security professor at the University of Pennsylvania, claims that “It really is the worst and most widespread vulnerability in SSL that has come out.” The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug “catastrophic”, and Forbes cybersecurity columnist Joseph Steinberg event went as far as to say that:

Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.

opensslRegardless, Heartbleed does point to a much larger problem with the design of the internet. Some of its most important pieces are controlled by just a handful of people, many of whom aren’t paid well — or aren’t paid at all. In short, Heartbleed has shown that more oversight is needed to protect the internet’s underlying infrastructure. And the sad truth is that open source software — which underpins vast swathes of the net — has a serious sustainability problem.

Another problem is money, in that important projects just aren’t getting enough of it. Whereas well-known projects such as Linux, Mozilla, and the Apache web server enjoy hundreds of millions of dollars in annual funding, projects like the OpenSSL Software Foundation – which are forced to raise money for the project’s software development – have never raised more than $1 million in a year. To top it all off, there are issues when it comes to the open source ecosystem itself.

Cyber-WarTypically, projects start when developers need to fix a particular problem; and when they open source their solution, it’s instantly available to everyone. If the problem they address is common, the software can become wildly popular overnight. As a result, some projects never get the full attention from developers they deserve. Steve Marquess, one of the OpenSSL foundation’s partners, believes that part of the problem is that whereas people can see and touch their web browsers and Linux, they are out of touch with the cryptographic library.

In the end, the only real solutions is in informing the public. Since internet security affects us all, and the processes by which we secure our information is entrusted to too few hands, then the immediate solution is to widen the scope of inquiry and involvement. It also wouldn’t hurt to commit additional resources to the process of monitoring and securing the web, thereby ensuring that spy agencies and private individuals are not exercising too much or control over it, or able to do clandestine things with it.

In the meantime, the researchers from Codenomicon have set up a website with more detailed information. Click here to access it and see what you can do to protect yourself.

Sources: cbc.ca, wired.com, (2), heartbleed.com

Cyberwars: Massive Government Surveillance Uncovered!

wire_tappingOn Friday, Washington DC found itself embroiled in controversy as revelations were made about the extent to which US authorities have been spying on Americans in the last six years. This news came on the heels of the announcement that the federal government had been secretly cataloging all of Verizon’s phone records. No sooner had the dust settled on that revelation that it became known that the scope of the Obama administration’s surveillance programs was far greater than anyone had imagined.

According to updated information on the matter, it is now known that The National Security Agency (NSA) and the FBI have been tapping directly into the central servers of nine leading U.S. Internet companies, extracting everything from audio and video chats, photographs, e-mails, documents, and connection logs that would enable their analysts to track foreign targets.

prism3This information was revealed thanks to a secret document that was leaked to the Washington Post, which shows for the first time that under the Obama administration, the communication records of millions of US citizens are being collected indiscriminately and in bulk – regardless of whether they are suspected of any wrongdoing. Equally distressing is the names being named: U.S. Service Providers such as Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.

The document further indicates that all of this has been taking place since 2007, when news disclosures, lawsuits and the Foreign Intelligence Surveillance Court forced then-president George W. Bush to look for new authority to justify his program warrantless domestic surveillance. It’s continuance and expansion under Obama has created a great deal of understandable intrigue, and not only because of promises made that “illegal wiretapping” would not take place under his watch.

prism1The joint FBI-NSA program responsible for mining all the data is known as PRISM, and it may very well be the first of its kind. While the NSA and FBI have a long history of monitoring suspects via phone records and computer activity, and are both accustomed to corporate partnerships that help it divert data traffic or sidestep barriers, such a vast program has never before been possible. In the current information age, there is an immense wealth of information out there, and where better to access all of this than in Silicon Valley?

Not long after the news broke in Washington, London’s Guardian reported that GCHQ, Britain’s equivalent of the NSA, also has been secretly gathering intelligence from the same internet companies through an operation set up by the NSA. According to the same leaked information, PRISM appears to allow the GCHQ to circumvent the formal legal process required in Britain to seek personal material such as emails, photos and videos from an internet company based outside of the country.

prism2But perhaps worst of all is the fact that this process is entirely above board, at least for the companies involved. Back in 2007, Congress passed the Protect America Act, and then in 2008 followed it up with the FISA Amendments Act, both of which immunized private companies that cooperated voluntarily with U.S. intelligence collection against prosecution. And late last year, when critics in Congress sought changes in the FISA Amendments Act, the only lawmakers who knew about PRISM were bound by oaths of office to hold their tongues.

An anticipated, a bi-partisan amalgam of Senators came out to defend the initial reports of phone record monitoring shortly after it was announced. In a rare display of solidarity that cut across party lines, Democrats and Republicans from both the Senate and House came forward to say that the program was justified, only spied on terrorists, and that law-abiding citizens need not worry.

National Security Agency - aerial view
National Security Agency – aerial view

Once again, the argument “if you’ve done nothing wrong, you’ve got nothing to fear” finds itself employed by people who do not want to voice criticisms about a government spying program. Echoes of the Bush administration and McCarthy era all over again. Needless to say, all of this has many people worried, not the least of which are people opposed to government intrusion and the protection of privacy for the past decade.

Ever since it became possible to “mine data”  from numerous online digital sources, there has been fear that corporations or governments might try to ascertain the habits and comings and goings of regular people in order to effectively monitor them. For some time now, this sort of monitoring has been somewhat benign, in the form of anticipating their spending habits and using targeted advertising. But always, the fear that something more sinister and totalitarian might emerge.

government-surveillanceAnd with the “War on Terror”, the Patriot Act, domestic warrantless wiretapping, the legitimization of torture, and a slew of other crimes the Bush administration was indicted in, people all over the world have become convinced that “Big Brother” government is just around the corner, if indeed it is not already here.

The fact that such processes have continued and even expanded under Obama, a man who originally pledged not to engage in such behavior, has made a bad situation worse. In many ways, it demonstrates that fears that he too would succumb to internal pressure were justified. Much as he was won over by the Pentagon and CIA to continue the war in Afghanistan and UAV programs, it seems that the constellation of FBI and NSA specialists advising him on domestic surveillance has managed to sway him here as well.

Stealth-Wear1One can only hope that this revelation causes the federal government and the Obama administration to reconsider their stances. After all, these are the same people who were convinced to stand down on the use of UAVs in oversees operations and to take measures that would ensure transparency in the future. We can also hope that the NSA and FBI will be required to once again have to rely on the court system and demonstrate “just cause” before initiating any domestic surveillance in the future.

Otherwise, we might all need to consider getting our hands on some stealth wear and personal cameras, to shield ourselves and create an environment of “sousveillance” so we can spy on everything the government does. Might not hurt to start monitoring the comings and goings of every telecommunications and Silicon Valley CEO while were at it! For as the saying goes, “who watches the watchers?” I’ll give you a hint: we do!

Also, be sure to check out the gallery of artist Adam Harvey, the man who pioneered “stealth wear” as a protest against the use of drones and domestic surveillance. To learn more about sousveillance, the concept of a society monitored by common people, check out Steve Mann’s (inventor of the EyeTap) blog.

Sources: washingtonpost.com, guardian.co.uk, policymic.com, ahprojects.com, eyetap.blogspot.ca