Blog

Impact of a tiny bug

As you may have heard, on Monday, a group of security engineers reported the existence of the 'Heartbleed' bug in OpenSSL. It has since sent waves through the internet community, and for good reason; OpenSSL is used by most of the internet for encryption.

Why is this bug so important?

Most people outside of the tech circles have never heard of OpenSSL before today and still do not understand what the software does. SSL (Secure Sockets Layer), which you probably have heard about, is the encryption protocol used to securely transfer data between an internet server and a client (like a web browser). SSL uses an asymmetric method where the server sends the client a public encryption key which can encrypt data but can not decrypt it. The server keeps a separate private key which can decrypt the data. This process is inverted for data being sent to the client.

OpenSSL is a open source application which is used by various tools to encrypt and decrypt data. This asymmetric system is valuable for a wide range of applications, including securing email transmission, FTPs and file uploads.

The actual error in the code was traced back to a change made roughly two years ago.

How to fix

Fixing the bug requires you to update OpenSSL to version 1.0.1g. This is the newest release which came out with the announcement of the bug on Monday.

AWS Server

These instructions assume you have already setup an instance and have an SSH client available.

  1. Log in to your instance via the SSH client and transfer to the root user.
  2. Run the YUM update command for the "openssl" package
  3. Press "Y" when it asks if you want to update the package
  4. Verify the installation occurred correctly by starting/restarting the httpd service
  5. Revoke and reissue all SSL certificates (including self-signed ones).

Summary of command line inputs

  • $ sudo su
  • $ yum update openssl
  • .....
  • $ service httpd restart

Other Software

  • Apache (via mod_ssl or apache-ssl)
  • nginx
  • cURL (including php curl extension)
  • WinSCP
  • cryptozilla
  • Wordpress
  • Wu-FTPd/SSL
  • RaidenFTPD for Windows
  • sNFS
  • JavaSSL
  • SSLJava
  • Samba
  • Kermit
  • Roxen Challenger
  • OpenCA
  • Postfix
  • QMail
  • SSA (Secure Sockets Agent)
  • slush
  • nsyslog
  • CashCow
  • pyCA
  • MySSL
  • M2Crypto
  • Sendmail
  • SafeGossip
  • KeyNote
  • sslproxy
  • OpenSSH
  • FISH
  • mini_httpd
  • Pavuk
  • ntop
  • start_tls-telnet
  • Fetchmail
  • Lynx
  • Courier-Imap
  • BIND
  • RubyPKI
  • TinySSL
  • XMLSec
  • OpenTSA (Open Time Stamping Authority app)
  • CSP
  • XCA
  • DelphiImport

This is not an all encompassing list. I'll update it as I find more applications which use OpenSSL.

Secondary Impact

Most people who use the internet do not directly use any of the aforementioned software.The biggest implication of this security hole is its usage with Apache and nginx, which combined run about 66%[1] of all websites in the world. If you have recently (within the last 2 years) used any website which uses Apache or nginx, your username and password might have been visible. This means you need to change EVERY username/password pair you have.

Popular Websites Known to be Vulnerable

  • Google (including gmail)
  • YouTube
  • Facebook
  • Yahoo
  • Instagram
  • Pinterest
  • Tumblr
  • Etsy
  • GoDaddy
  • Flickr
  • Minecraft
  • Netflix
  • SoundCloud
  • USAA
  • Box.com
  • DropBox
  • GitHub
  • IFTT
  • OkCupid
  • Wordpress.com
  • Wunderlist

Some of these websites use 2-step authentication to validate users identities, which makes it more challenging to use the username/password to impersonate a user, but it does prevent it. This is especially true if you use the same username/ password paring in multiple locations (like your email account and Facebook).

Simply, you should replace ALL passwords this weekend.

 

Problems Updating Desktop Software

Many open source (ie free) desktop applications that use OpenSSL for security purposes. This software needs to be updated also, however the urgency with updating it is much lower because this software is regularly shutdown (unlike Apache which must be running when someone request a website) which clears the memory, and often the information it holds in memory is the content sent by the server, which does not include the username / password pairs.

Also, if someone hacked your computer, there are much easier ways to obtain sensitive information than the Heartbleed bug. Simple key stroke recorders and screen swipers would gain much more valuable information. You still need to update these applications, but if it doesn't happen for a week or two, you do not need to freak out.

References:

  1. Netcraft's April 2014 Web Server Survey

Half of Internet Users at Risk

This weekend, the technology security firm FireEye revealed a flaw in Microsoft Internet Explorer which compromises the users entire system. Microsoft has announced they are rushing to fix the bug, though that doesn't help the 55% of internet users who use the browser to go online via their computer.

Security Flaw Details

The flaw exploits a memory re-allocation issue which allows for data corruption and bypasses Window's ASLR (address space layout randomization) and DEP (data execution prevention) protections. This basically allows malicious scripts to insert a virus into system and execute it, taking complete control of the computer. This flaw effects all version of IE from 6 to 11, with current reports of it being successfully utilized against IE 9, IE 10 and IE 11.

Windows XP Users

With the end of support for Windows XP, Microsoft has chosen to release any updates for IE only for the Vista, 7 and 8 versions of Windows. This prohibits about  25% of all desktop computers from using Internet Explorer. And Microsoft's solution of upgrading to Windows 7 or Windows 8 is not an option for many of these older (though still good) machines.

Solution: Switch Browsers

If you didn't already know it, Internet Explorer is notorious in tech circles for being full of security bugs as well as having inconsistent rendering of web designs. IE is only ever used for testing the cross-browser design of websites. If you regularly use IE, you should consider switching to a more robust browser. These alternative browsers are just as easy to use, and generally will make websites run faster while looking better.

If you do not switch browsers, DO NOT USE IE until the patch is released.

Mozilla Firefox

Firefox is the gold standard of web browsers. It is available on just about every operating system (Windows XP, Vista, 7, 8, OS X, iOS, Android, Blackberry10, Linux, etc) and is FREE. There are numerous skins, plugins and extensions for Firefox, allowing you customize everything. It also utilizes an open-source model, which limits the number of these fundamental security flaws and gets such flaws patched extremely quickly.

Mozilla Firefox is available here.

Opera

Opera is a free web browser for personal use. It is developed by Opera Software ASA of Norway as a bridge between a commercial browser and a personal browser. Opera provides some of the best support for the web standards on compatibility and security.

Opera is available here.

Apple Safari

Safari is Apple's base web browser which is included with OS X and iOS but is also available for Windows since XP. Safari has a clear Apple feel to its interface which is a little confusing for Windows users at first. Safari uses an open-source license, making it free for personal and commercial use.

Apple Safari is available here

Google Chrome

Chrome is the Google alternative to Internet Explorer. I generally do not recommend Google products not associated with the Search Engine because of Google's tracking and lack of control, but Chrome is an improvement over IE. Chrome is generally considered one of the fastest web browsers and has good adherence to the web standards on compatibility and security.

Google Chrome is available here

 

Conclusion

If you are still using Internet Explorer, this is a great reason to switch. Once you make the change, you will be happy. For those concerned about making the transition, contact us and we can go through everything needed to make the change.

Security Release: https://technet.microsoft.com/en-us/library/security/2963983.aspx