Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Who's to blame for 'catastrophic' Heartbleed Bug?

Ellen Messmer | April 11, 2014
German software engineer steps forward to take blame for OpenSSL mistake, but issue goes wider

The Heartbleed Bug, basically a flaw in OpenSSL that would let savvy attackers eavesdrop on Web, e-mail and some VPN communications that use OpenSSL, has sent companies scurrying to patch servers and change digital encryption certificates and users to change their passwords. But who's to blame for this flaw in the open-source protocol that some say also could impact routers and even mobile devices as well?

A German software engineer named Robin Seggelmann of Munster, Germany has reportedly accepted responsibility for inserting what experts are calling a mistake of catastrophic proportions into the open-source protocol OpenSSL used by millions of websites and servers, leaving them open to stealing data and passwords that many think has already been exploited by cyber-criminals and government intelligence agencies.

"Half a million websites are vulnerable, including my own," wrote security expert Bruce Schneier in his blog, pointing to a tool to test for the Heartbleed Bug vulnerability. He described Heartbleed as a "catastrophic bug" in OpenSSL because it "allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software." It compromises secret keys used to identify service providers and encrypt traffic, he pointed out. "This means anything in memory--SSL private keys, user keys, anything--is vulnerable."

The Heartbleed Bug was discovered by security analysts from Google and Codenomicon and disclosed by the OpenSSL open-source group on April 7 as an OpenSSL Advisory and a fix prepared by OpenSSL open-source contributors Adam Langley and Bodo Miller. Across the world, companies and vendors have been scrambling to either patch their systems or assure users that their services weren't using OpenSSL.

Microsoft for example, issued an advisory that "Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability."

But Microsoft added, "However, if you are using Microsoft Azure's IaaS to host linux images, then you should make sure that your OpenSSL implementation is not vulnerable."  

Twitter also said its services weren't impacted by Heartbleed. However, websites including Yahoo Mail, Yahoo Messenger and others were impacted. As news stories about the Heartbleed Bug filled the news, there was widespread concern and bewilderment in the general public, and it wasn't uncommon to hear the problem described by people as a computer virus, rather than a software flaw.

Mobile security firm Lookout Security said its main website wasn't impacted by the Heartbleed Bug but some of its other Internet-facing infrastructure was. Lookout was busy patching systems and swapping out digital certificates. Lookout also believes that not just server but client software also may face Heartbleed vulnerabilities, including Android mobile devices.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.