In Atlanta, a tax return for U.S. Attorney General Eric Holder was filed by a Wal-Mart associate and his high school buddy. The return, filed last year, bore Holder’s name, Social Security number and date of birth. The pair bought Holder’s information from a black market website, which they used to process a large number of fraudulent returns.
This incident reflects an alarming truth: identity theft is an exploding epidemic — not even the nation’s highest law enforcement official is safe from it.
A major security flaw in the way of a large segment of the Internet’s processed secured transmissions may be fueling the current identity theft situation. A coding error in the encryption mechanism used for two-thirds of the Internet’s total web servers — including those used by Yahoo!, Google, Microsoft and Facebook — has left access to secured data flows open to hackers. This has potentially exposed millions of passwords, credit card numbers and other pieces of personally-identifiable information to undetectable outside surveillance.
This threat, known as “Heartbleed” or CVE-2014-0160, is particularly worrisome because it went undetected for more than two years. “Heartbleed,” a coding error in the open-source OpenSSL protocol, creates an opening in SSL/TLS (Secure Socket Layer/Transport Layer Security) — the asymmetric cryptographic scheme used for data confidentiality and message authentication for HTTPS requests — that allows a third party to either “snoop” on a supposedly closed or “locked” data conversation or capture the keys to unlock the conversation without being detected.
“Locked” conversations are indicated by a closed padlock icon to the left of the URL on a browser’s address bar.
“Heartbleed”
This breach is done by directly referencing and reading the server’s memory, which is accessible and addressable via the “Heartbleed” flaw. The flaw was introduced with the implementation of OpenSSL’s heartbeat extension — hence, the name “Heartbleed.” This “peck-and-hunt” version of web hacking, in which only 64 kilobytes of RAM-data is retrieved per attempt, would require the hacker to repeatedly strike the same server, changing the memory address for each strike. Should a strike happen at the same time a user enters a password or other information to the server and if the entered information is being stored in the targeted memory block, the strike “captures” the information and sends it back to the hacker.
This is problematic, as “Heartbleed” presents a potential way for potential data thieves to overcome established mechanisms for data protection, including virtual private networks, cloud applications and layered security encryption. For the billions potentially targeted and compromised by this flaw, the existence of “Heartbleed” — along with the major consumer data thefts from Target and other retailers and disclosures of the federal government’s alleged widespread surveillance of electronic communication — bears the inference that personal privacy and personal security are ideals that are not necessarily borne in reality.
“I don’t think anyone that had been using this technology is in a position to definitively say they weren’t compromised,” said David Cartier, chief executive of Codenomicon, the firm that co-discovered the threat independent of the Google researcher that also found the code error.
The enormity of the problem
While a version of OpenSSL has been released with the security flaw resolved, resolving the problem the flaw has created will not be as easy as installing a software patch. While many major websites have already resolved the security issue, smaller web services cannot easily afford to convert their SSL/TLS applications and replace their security certificates and keys. This may cause a lag in the time it takes for certain services and e-commerce vendors to become security-compliant. This would lead to customers being unable to change passwords or credit card numbers without exposing the new information to the same security hole.
Additionally, servers that patch their version of OpenSSL without changing their private keys run the risk of having their sites impersonated. As the keys are used to verify the trustworthiness of a secure site, a stolen key can be used to create a “ghost” of a site over another site, leading to potential security vulnerabilities. Servers that do not utilize “perfect forward secrecy” — single-use session keys fabrication — are also in danger of having captured streams of encrypted data decrypted after the fact, which increases the potential of future fallout.
Finally, because OpenSSL is a code library, or a collection of related pre-written computer procedures, it may not be immediately apparent to the end-user that the product he or she is using contains OpenSSL code. As more than 66 percent of the world’s servers use operating systems or services that utilize the OpenSSL library, this ambiguity may delay the implementation of available remedies.
Measuring the impact
As there is no way to ascertain exactly how much information has been leaked through the “Heartbleed” exploit, the economic and personal toil of this security fault may not be known for years.
“OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet,” wrote Codenomicon on its “Heartbleed” advisory page. “Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.
“Many of online services use TLS to both identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.”
While certainly the biggest, “Heartbleed” is only the latest in recent computer security exploits. Last month, developers of the GnuTLS library disclosed a major security bug that left hundreds of open-source software applications — such as certain versions of the operating system Linux — open to memory exploits similar to “Heartbleed.” In February, Apple corrected an iOS and OS X vulnerability that allowed hackers to bypass and ignore HTTPS protections.
Users are advised to change their passwords and confidential information for all websites, but only after verifying that the web service is HTTPS-compliant.