Can tech-savvy Susanites help me sort out this Heartbleed stuff?

[suzifrommd]

OK. This is my (total layperson's) understanding of what Heartbleed does:

It allows someone to get a small RANDOM chunk of memory from an affected system. I.e., you can't ask for "give me the place where the passwords are stored". You can only ask "Give me a small chunk of memory." Then you'd have to examine it for possible passwords that might be in it. Of course you could get as many chunks as you want, but unlike the theft of credit cards from Target, for example, the information is not in a form where password data could be extracted without substantial effort.

Based on that, it's a long shot that someone has extracted huge amounts of usable password data.

Can someone who really knows how this works please confirm or contradict this?

[Beverly]

I have just checked a number of our systems for this bug. All are clear except one which I patched this morning.

This affects a piece of security software that is quite old, but only the version of it that has been released about 2 years ago (OpenSSL versions 1.0.1 - 1.0.1f). The previous release 0.98 and the latest releases 1.0.1g and 1.0.1-4 are all OK. Any server running this version of the software is vulnerable because a method exists that allows people to return the sections of the server memory where plain text passwords are encrypted so the attacker can see the plain text and keep it.

It is hard to determine if anyone actually did this. Because many servers run other versions of OpenSSL they are not affected, but some may have run it and upgraded out of it or might have ran ver 0.98 for the last 23 months and only updgraded to 1.0.1 last month. As a result it is very difficult to know which servers are affected. In my case, all our machines were running 0.98 and are unaffected except the new one that I patched today.

So, the upshot is that the advice is to be safe rather than sorry. Many people use the same password on lots of internet accounts so if your password was extracted on a vulnerable machine then some could have access to all other accounts of yours that use that password.

The big fuss is because SSL is a base technology on which internet security is built so a flaw in OpenSSL is a big deal.

[CaitlinH]

Today's XKCD comic gives a pretty good overview of how it works: http://xkcd.com/1354/

The way you described it is accurate, the information you get through Heartbleed is just a random amount of information in the server's memory. The problem with it is that those memory dumps can include sensitive data such as unhashed passwords and unencrypted credit card details.

Basically there's nothing that you can do as a regular user of the web about this apart from changing passwords and being alert when it comes to checking bank statements. The onus on preventing potential Heartbleed data leaks is on the administrator patching OpenSSL if their site runs it.

[suzifrommd]

OK. I've done a bit of reading about how Heartbleed works. I'm far from an expert, but for the curious, I'll put my teacher hat on (something I do from time to time).

One of the patterns by which a network server communicates is called a "heartbeat". A heartbeat is a request where some remote computer asks the server for a certain number of bytes of a certain type of information.

(A byte is an amount of information roughly equal to a single letter in a word. E.g. the word "Trans" requires about five bytes to store.)

The software on the server takes a free piece of computer memory (we call this allocating memory), writes the information in that memory, and then sends it back to you. There's no problem with that. The information is commonplace and not dangerous.

But suppose I ask for 100 bytes of information, but I tell the software it's 1,000 bytes long? The software allocates 1,000 bytes, writes the 100 bytes you're asking for, and the remaining 900 are left unchanged.

The problem comes because when the system allocates memory, it doesn't clear the memory. So those 900 bytes will contain whatever was in that memory when it was last used by the computer. Understand that computer memory is kind of like a scratch pad - it's used to store instructions or data, so this could be anything. It could even be a password that's been written somewhere in memory later to be encrypted and sent safely across the Internet.

But it's far more likely to have, basically, garbage, that is not helpful and not useful.

Could someone get a password from this?

I suppose if you sent out tons of heartbeats and accumulated trillions of bytes of data, there will probably be a few passwords in there. I shudder to think of the data mining effort necessary to find them. It MIGHT be possible. I suppose if you knew that a particular server program always stored a password in a context that looked a certain way, one could write software to search for that pattern and extract the password from all the random bits of information they received.

Of course the password wouldn't be enough. You would need software that could extract the user name, as well. I think that that capability requires substantial engineering skills and is probably beyond the abilities of most hackers.

Once you have that information, you have to do a lot of work to figure out if it's useful. It's far more likely to be some 12-year-old's twitter account than a billionaire's bank password.

I'll make a leap here, and say that this would not interest most hackers. Hackers want information they can turn into money quickly. Hard for me to imagine they're interested in information that requires a skilled software engineer to extract and once extracted, requires labor intensive human verification of its value.

I'm going out on a limb to say that the commotion about Heartbleed and the media frenzy about how "everything has been compromised, everything is insecure" is considerably overblown.

Disclaimer: Please do not interpret this as advice. It's just the musings of someone who is not an expert, just a pipsqueak random schoolteacher, so I can't be responsible for actions you take or don't take based on what I'm saying here.

[Beverly]

I'll make a leap here, and say that this would not interest most hackers. Hackers want information they can turn into money quickly. Hard for me to imagine they're interested in information that requires a skilled software engineer to extract and once extracted, requires labor intensive human verification of its value.

These days, many "usernames" are email addresses and many people use the same password across many systems. The upshot is that if you get a username and password group for someone you can try it everywhere. Start with Amazon... it is amazing what you can order from Amazon and it is even better if you have one-click ordering enabled. Try Yahoo which is very hijackable at the best of times - once you have an email account you can scan it and harvest other emails and then go to those and request new passwords and you will get access to everything. You now might have access to enough information to take over that person's identity. If someone got access to a person's stocks and shares account online it could get very, very messy.

I have seen people routinely email usernames and passwords to each other for accounts at work. That means that businesses are now exposed because the employee's security is non-existent. We hold passwords and mail accounts for hundreds of local businesses. The bad guys would LOVE to get access to that part of our systems.

I'm going out on a limb to say that the commotion about Heartbleed and the media frenzy about how "everything has been compromised, everything is insecure" is considerably overblown.

Somewhat, but why take the risk? Nobody knows if the bad guys knew about this, that is the problem. It is alright saying everything is overblown until it is YOUR bank account that get emptied and YOUR identity that gets hijacked.

[suzifrommd]

Somewhat, but why take the risk?

Good point.

The way I see it, every time I enter a password into a prompt over the internet, I'm taking a risk. There is malware out there far more precisely targeted than Heartbleed, and I'm far more likely to lose my password to those.

So I should do what? Change all my passwords every time I hear of new malware. Or every time I realize there could be malware that I haven't yet heard about? Or every time I use a computer with malware on it (which would be several times a day, because basically no systems are free of it)?

To keep myself from changing passwords pretty much continuously, I assess the risk. I ask, "Is the risk worth the effort I'd put into it? How likely is it that someone can learn enough to enrich themselves by compromising my personal information?"

If I didn't do that, I'd spend 23 1/2 hours a day changing passwords (or looking up new passwords I'd forgotten because I changed them recently) and have only a little bit of time left over for other stuff, like having an actual life.

That's why I personally took it upon myself to understand what is Heartbleed really, and did my own risk assessment. Having done that, I thought it would be a service to the busy members of this site to relate what I found in plain language.

[Lisa55]

Not advice but...


Just because you change you passwords today doesn't mean that it wont be compromised tomorrow on a system that hasn't been patched yet.  The big whoha about it is good because it gets the management onside to patch/check the systems, but it will be time before many are patched, and probably some wont ever be, and will be there until they naturally disappear of the internet.

So about all you can do is not use the same password everywhere and hope for the best.