Network Security, the Heartbleed Bug - Essay Example

The Heartbleed Bug Introduction The heartbleed bug subsists in a piece of open source software called OpenSSL (Secure Sockets Layer). The OpenSSL is intended to act as a sort of secret handshake at the beginning of a secure conversation through encryption of communications between a users computer and a web server. The heartbleed bug was revealed in April 2014 in the OpenSSL cryptography library. It is a broadly used application of the Transport Layer Security (TLS) protocol. It was labeled Heartbleed because it affects an extension file to the SSL (Secure Sockets Layer) and improper input validation, hence programmers named it as Heartbeat. This essay focuses on the increased concern over the effects of the heartbleed bug on the internet security (Codenomicon, 2014). This loophole allows stealing of secured information and data under normal settings, by the SSL/TLS encryption used to protect the Internet. The SSL/TLS covers privacy and communication security for applications found in the Internet such as the web, instant messaging (IM), email and virtual private networks (VPNs). The Heartbleed bug permits any user accessing the Internet to read the systems’ memory secured by the weaker versions of the OpenSSL applications. This jeopardizes the secret keys used to pinpoint the service providers and to encode the movement, the names and passwords of the users and the authentic content. This permits hackers to spy on data, steal information straight from the services and users and to impersonate services and users (Codenomicon, 2014). The Heartbleed bug is listed in the Common Vulnerabilities and Exposures system as CVE-2014-0160. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names preserved by MITRE. The technical name, CVE-2014-0160 is named from the line of code that the bug is contained. However, a secure version of OpenSSL was released on April 7, 2014, after the Heartbleed bug was publicly revealed. At the time close to 17% an estimated half a million of the Internets protected web servers licensed by trust authorities were alleged to be exposed to the bug. Hence, permitting the stealing of the servers digital keys used to encrypt data and gain access over users session cookies and passwords (BBC News, 2014). The loophole allows a hacker to gain access of up to 64 kilobytes of server memory. However, the hackers execute the attack repeatedly to access a substantial amount of information. Therefore, a hacker can gain access to users’ cookies from web browsers and servers that keep track of individual personal login information such as passwords and usernames details. This kind of information is critical and makes data secured online at risk of getting in the wrong hands since the hacker has the ease of logging in to users account through impersonation (BBC News, 2014). According to the Electronic Frontier Foundation, doing the attack over and over again could produce more severe information, such as websites private SSL digital key, used to encrypt movement of data. With this digital key, someone could run a replica version of a website and use it to gain access to other classes of information, such as credit card numbers or private messages. Encryption is used to secure information that may damage individual privacy or security when they are exposed by the hackers. To coordinate retrieval of information from the heartbleed bug, it is categorized into four parts namely: Primary key material, secondary key material and protected content and collateral (Codenomicon, 2014). Leaked information keys gives the hacker access to decrypt both past and future data circulation to the secured services and copy the service at will. Any security given by the encryption and the signatures in the X.509 licenses can be overwritten. Recovery from this sort of leak involves repairing the exposure, cancelation of the compromised keys and reproducing and redeploying new keys. Even doing all this will still leave any traffic captured by the hackers in the past still at risk to decryption (Codenomicon, 2014). Secondary material entails information such as the user identifications (user names and passwords) used in the risky services. Recovery from this disclosure needs the users of the service first to reestablish trust to the service in accordance to steps defined overhead. After this owners can begin changing their passwords and possible encryption keys in accordance with the instructions from the users of the services that have been tampered with. All log-in session keys and session cookies should be canceled and considered as tampered with (BBC News, 2014). The authentic content handled by the risky services. This might be personal information such as emails, financial particulars, instant messages, documents that is protected by encryption. Only users of the subscription will be able to approximate the chances of what has been exposed and alert their users consequently. Importantly is to reinstate confidence to the primary and secondary key material. This is the only procedure that will empower secure practice of the tampered services in the future. Disclosed securities are other particulars that have been uncovered to the hackers in the leaked memory content. Leaked collateral contain technical particulars such as memory addresses and security measures. Security measures include canaries used to defend against overflow occurrences. These have only present-day value and will drop their value to the hacker when OpenSSL has been advanced to a secure version (Codenomicon, 2014). However, OpenSSL implementation software is popular; there exist other SSL/TLS alternatives. Similarly, some Web sites use a previous, genuine version, and some of them did not permit the "heartbeat" vulnerability that was dominant to the risk. While it does not unravel the mystery, what alleviates the possibility of the possible risk is the application of Perfect Forward Secrecy (PFS). This is the exercise that guarantee the encryption of keys have a very limited shelf life and are not used for a long shelf time. This means that if a hacker accessed an encryption key out of a servers memory, the hacker would not be able to decrypt all protected traffic from that server because keys has a limited shelf life. While some big companies such as Facebook and Google are supporting PFS, not every company does (BBC News, 2014). In conclusion, users should frequently change their login credentials such as passwords and they need to make sure that they opt something that does not redirect to their personal likes for example a pets name. Preferable words that do not appear in a dictionary may be a combination of numbers and words. Tools are now broadly accessible that will keep and consolidate all users credentials for apps, computers and networks. Applications and tools can create passwords and spontaneously enter user’s credentials into forms on websites. These tools keep users credentials in an encrypted file that is available only through the use of a master password. Illustrations of such tools include KeePass, 1Password and LastPass (Codenomicon, 2014). References Codenomicon (2014, April 29). Heartbleed Bug. Retrieved 27 February 2015, from http://heartbleed.com/ Wakefield, J. (2014, April 10). Heartbleed: What you need to know. BBC news Technoloy. Retrieved 27 February 2015, from http://www.bbc.com/news/technology-26969629 Read More