Bleeding memory exposes all-important online data
UPDATE 14/04: Financial news outlet Bloomberg has reported that the US intelligence National Security Agency (NSA) knew about the flaw when it was introduced, and has been using it to pilfer information.
The White House National Security Council has responded, denying the allegations.
“This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet,” spokesperson Caitlin Hayden said.
“It is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.”
Websites around the world are hurrying to fix their systems in response to a very serious vulnerability.
Flaws have been exposed in OpenSSL encryption; the world's most popular method to protect incoming data such as passwords or credit card information.
Some international governments have shut down official websites while they ensure safety is restored, but checking tools do not appear to be able to test for vulnerabilities in Australian government servers.
Websites can be assessed for potential weaknesses here.
The bug has been present in the OpenSSL software since March 2012.
It has now been patched, but that is little comfort when passwords could already have been stolen during the last two years.
A site has been set up dedicated to chasing down the scope and risks of the bug, dubbed ‘Heartbleed’, which appears to have been going on for some time.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” the site says.
“This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
“This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
“On the scale of 1 to 10, this is an 11,” Harvard University online security expert Bruce Schneier says.
The problem allows a potential server intruder to receive small chunks of private memory through Open SSL’s ‘heartbeat’ function, which is designed to keep connections alive by sending and receiving bits of data.
But a small programming fault means the pieces of memory received could contain sensitive and supposedly encrypted information of virtually any kind.
“Basically, an attacker can grab 64K of memory from a server,” Schneier says.
“The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory.
“This means that anything in memory - SSL private keys, user keys, anything - is vulnerable. And you have to assume that it is all compromised. All of it,” he said.
The serious security issue has definitely been exploited by hackers, a US security company says.
Hundreds of thousands of sites have been made vulnerable by the flaw; though a patch has now been released many are advising users to update their passwords in case they had already been stolen.
Security experts strongly recommend updating all passwords.
Meanwhile, administrators will be undertaking the laborious task of revoking old certificates, creating new private keys and Certificate Signing Requests, and replacing all previous versions.