You may have seen on tech news, the web, or even mainstream news at the moment something called ‘Heartbleed’.  Here at BirchenallHowden, we are being asked about it by many of our clients. So below we have detailed what this story is all about, the risk it could pose to you personally, and most importantly what you need to do about it, all from resident ICT Consultant Jonathan Ford (@fordieis). If you don’t want to read the technical stuff then just skip straight down to “So what do I need to do about it”.

An Overview

Heartbleed is the nickname for a flaw that has been exposed in ‘OpenSSL’; an open-source cryptographic protocol which is an encryption method used for a lot of the secure communications on the Internet. This flaw was first exposed on Monday this week, but has reportedly been a potential issue for a couple of years.  It has impacted a huge number of websites such as social media, online banking etc. as well as email systems, instant message programs and potentially VPNs (Virtual Private Networks) that use Open SSL to encrypt communications.

The Geeky Bit

Heartbleed essentially works like this; if you have logged into a website (let's say your online banking) every so often, one computer (let’s say yours) will attempt to check if another computer is connected at the other end of its OpenSSL secure connection (your encrypted session with your online banking website). It will send out what is called a heartbeat that will ask for a response from the destination computer to verify it's still there, and hasn’t been disconnected.  This heartbeat is a message made up of a few parts sent by you to the receiving computer (the online banking website) saying “This is a heartbeat that contains X amount of data (for example 64KB)” along with the 64KB it said it would send, called the payload. The online banking website then sends back to you the same 64KB of data you sent it by way of response, to verify that the two computers are still connected.

The researchers who discovered the Heartbleed flaw in OpenSSL have found that as a heartbeat can be sent anonymously, and that a payload does not have to match what your computer said it was going to send, they can essentially trick any server that is still open to the threat. They can get it to send back unencrypted data which would normally be encrypted. It is then possible to piece the unencrypted data back into usernames and passwords.

For example, if your computer stated in its heartbeat that you were going to send 64KB of data but only actually send 1KB of payload data, the responding computer will send back 64KB of unencrypted data. This will be made up of the 1KB you sent but then an extra 63KB. This extra 63KB is unfortunately made up data that comes from the responding server’s OpenSSL memory cache and will contain whatever memory was nearby in the server at the time of the request. This is where it gets the name “Heartbleed”, as the responding computer is essentially bleeding memory through heartbeat requests.

If an attack is performed it's not possible to choose what data you get back from the server when making the attack, but if repeated enough times, eventually something of use may come back to the Heartbleed attackers i.e. usernames and passwords.

This flaw essentially comes down to a coding error, as the computer that receives the heartbeat just needs to check that the payload actually received matches the stated data amount. If in this example less than 64KB is received, the responding computer just needs to reject that request.

Does this really matter?

In short, yes! The flaw is being considered one of the largest security issues the Internet has seen to date, and has become particularly prevalent as a lot of websites use OpenSSL. It is the default option in Apache, the most commonly used platform for hosting websites, leaving them, and in turn their users, exposed to attack.  What’s more, nobody really knows how long hackers have known about this security flaw. It could be months or even years...

There is a hotfix for Heartbleed that has been released using the aforementioned checking process, so affected servers are being patched to update and deal with the issue. It will take time for all affected servers to be patched though, due to sheer volume.

Which websites does it affect?

Due to the wide spread use of OpenSSL, the majority of websites will be affected. There are lists being compiled online detailing which large websites are affected (like this one from Mashable).

As of Wednesday this week Google, Amazon and Rackspace (among others) issued a statement to advise that they had patched their servers from the attack.

Microsoft have advised that "most" Microsoft Services were not affected by the OpenSSL vulnerability, as they use their own implementation of SSL/TLS which was not affected.

So what do I need to do about it?

The obvious answer would be to change your password right away and consider yourself safe, however if you do that on a server still affected by Heartbleed then you are no better off as the server is still prone to attack.

Therefore we would advise you to change all your passwords now and then again in a week or so once the vast majority of servers have been patched.  Painful, we know!

BirchenallHowden have taken the action to patch our web hosting servers where applicable, and would advise any clients who use BirchenallHowden Hosting Services to change their password via their website management portal.

If you want to discuss any of the above with us or want more information, please do just drop us a line.