Latest: Digital For Tech News Click Here


Monday 21 April 2014

‘Oversight’ causes an error HeartBleed; says it’s Developer

0 comments
place Google AdSense code here


Robin Seggelmann, a programmer based in Germany, submitted the code in an update submitted at 11:59pm on New Year's Eve, 2011. It was supposed to enable a function called "Heartbeat" in OpenSSL, the software package used by nearly half of all web servers to enable secure connections.
He says the "Heartbleed" vulnerability to the open-source code used by thousands of websites says it was an "oversight" – but that its discovery validates the methods used.

His update did enable Heartbeat, but an "oversight" led to an error with major ramifications. But it accidentally created the "Heartbleed" vulnerability, which has been described as a "catastrophic" flaw which laid the contents of thousands of web servers open to hackers.
Seggelmann worked on the OpenSSL project during his PhD studies, from 2008 to 2012, but isn't involved with the project any more.

It has also been discovered in Cisco and Juniper routing gear, which could mean that hackers could capture sensitive data such as passwords passing over the internet.

He said that the mistake has nothing to do with its festive datestamp. "The code… was the work of several weeks. It’s only a coincidence that it was submitted during the holiday season.

"I am responsible for the error," he continued, "because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version."

Open source

OpenSSL is an open-source project. The software is developed by a small community of engineers, giving their time for little or no reward, and releasing it free of charge to anyone who needs it.
For security software, that model is typically seen as advantageous, because the more people examine a line of code, the more chance there should be of some weakness coming to light. Additionally, it prevents "security by obscurity", whereby the bulk of the protection comes from people not knowing how the security software works – which can result in the whole edifice tumbling down if that confidential information is released or discovered externally.

Instead, Seggelmann blamed the lack of resources that OpenSSL has to work with. "OpenSSL is definitely under-resourced for its wide distribution. It has millions of users but only very few actually contribute to the project."

How Heartbleed works

The flaw which actually leaks data in the Heartbleed bug is almost painfully simple.
It relates to a function called Heartbeat which exists in "Transport Layer Security" (TLS), the system used to protect confidential data when surfing the web. Heartbeat is used to keep connections open, even when no data is being shared.

When it works properly, a user's computer sends a Heartbeat packet to the server. The packet simply contains a chunk of random data, and a note saying how much data it's sent; the server receives the packet, and then sends back exactly the same data, confirming that it's listening.
The problem which can be exploited in a Heartbleed attack involves the attacker's computer lying about how much data it has sent: it sends over a single byte of information, but tells the server that it has sent 64KB instead. The server makes a note, and knows that it has to send 64KB back, but doesn't have a full 64KB of data.

What pushes the error into a full-blown catastrophe is that the server then fills the rest of the packet with any other information which its memory at the time.

A computer's memory is where it stores information about the tasks it's working on, and so the data which it pulls into the Heartbleed packet is related to the other queries it's responding to. At Yahoo, that included usernames and passwords of users logging in at the same time; at DuckDuckGo, it was the full text of search queries. The researchers who discovered the bug also say it can include SSL keys, which would let an attacker decrypt conversations captured months before.

0 comments: Post Yours! Read Comment Policy ▼
PLEASE NOTE:
We have Zero Tolerance to Spam. Chessy Comments and Comments with Links will be deleted immediately upon our review.

Post a Comment

 
Copyright © 2013 MyBloggerBlog Template All Right Reserved
Designed by MyBloggerBlog | Powered by Blogger