The so called “heartbleed bug” is apparently worse than an epidemic. It isn’t just going around, everyone’s already got it. The tiny yet massive flaw is in the popular security library OpenSSL. This is apparently a week for irony.
OpenSSL is used by a vast array of linux-based servers and other devices (routers, switches, firewalls, vpns, even phones) to make the infrastructure we use every day more secure, by giant everyday companies like Yahoo and such. It’s a library that handles the nuts and bolts of encrypting and decrypting stuff. But it’s not the encryption that was broken. Nor is it bad guys social engineering their way through gullible call center employees, or hacking into point of sale machines to collect credit card info. And it’s not silly users opening obviously malicious attachments to zombify their computers.
Apparently by tickling it the right way, evildoers sitting anywhere on the internet can get unpatched OpenSSL/TLS implementations anywhere else on the internet to broadcast actual dynamic blocks of the system’s memory buffers. Blocks of memory that includes stuff like usernames, passwords and even private cryptographic keys — all sorts of scary information. Seriously?
In other words, you know all those people who diligently kept their servers’ OpenSSL up to date to keep up with the latest in security and defend their data against the world’s hackers? Well every single one of them (possibly including the author of this blog) has apparently been unknowingly wearing a backless hospital gown and no underwear for security for as many as two years. And we have no idea if anyone took any pictures.
So in April 2014, we learned that security actually made us less secure. Making up for that hit to the technological psyche may be harder than fixing the bug. That and having to look at this tacky ‘heartbleed’ image (left) for the next month.
After I finish changing the 9,235 usernames and passwords I have accumulated after two and a half decades on the internet (ok maybe I exaggerated that by a few dozen), I think I’m going to go buy a strongbox, fill it with gold coins, bury it in the backyard, and draw a treasure map.
If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!
Categories: Security · Software
Join Our LinkedIn Group
I read elsewhere that only the first session to his the library has a chance to do this.
Wait, the security industry wouldn’t cry wolf, would they? It seems like every month there’s some new “OMFG, SHIT HAS HIT THE FAN!!!oneoneone” moment and NOTHING happens.
I heard the first session to hit the server was the only one able to read the private key. But later hits get recent logins and such. But it’s all third hand I think at this point.
WSJ: Cisco & Juniper routers, vpns, etc sheesh. http://online.wsj.com/news/articles/SB10001424052702303873604579493963847851346?mod=WSJ_hp_LEFTWhatsNewsCollection&mg=reno64-wsj
I get my MX480s at Best Buy, don’t you?
Radio Shack…