What we learned from the Heartbleed bug
TORONTO – It was the middle of tax season. Millions of Canadians were rushing to file their 2013 tax returns before the April 30 deadline – and then, without warning, the Canada Revenue Agency’s website went dark.
The website was one of millions affected by a severe encryption flaw now known as the Heartbleed bug.
Heartbleed would go on to become one of the biggest technology stories of the year, touching nearly every corner of the web. Major websites and services including Google, Yahoo, Instagram, Tumblr and Netflix were affected.
But Canadians were some of the worst affected by the flaw.
Roughly 900 social insurance numbers were stolen from the CRA’s website after a hacker – since identified as 19-year-old Stephen Arthuro Solis-Reyes of London, Ont. – exploited the bug, leaving hundreds at risk of identity theft.
Heartbleed affected technology called OpenSSL – a widely used open-source set of software libraries for encrypting online services.
The bug created an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic between a computer and a website is secure. This allowed hackers to snoop on Internet traffic even if the padlock was closed, leaving users’ information vulnerable.
What made it more frightening was that hackers could also grab the keys for deciphering encrypted data and leave no trace of ever being there.
The flaw was discovered by a team of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately. The team went public with their findings on April 7, 2014. Soon experts began referring to it as one of the biggest security threats in the history of the Internet.
In the days and months that followed, website operators scrambled to patch their sites and users were encouraged to change the password to every account that may have been affected.
Though experts say we may still experience fallout from Heartbleed – as stolen user credentials start to make their way into malicious hands – steps have already been taken to make sure something like Heartbleed never happens again.
Better infrastructure is needed for open source software
Heartbleed was caused by human error.
The 31-year-old German computer programmer responsible for the flaw was fixing software bugs and adding new features to OpenSSL when he forgot to validate a variable containing a length. Simply put, it was an innocent coding flaw he overlooked.
Because OpenSSL is open-source software, the project is open for developers to contribute to.
At the time Heartbleed was discovered only 13 volunteers ran the operation and the software itself was managed by only four core programmers. The group also lacked funding to hire programmers.
But, nearly a month after the flaw was discovered, a dozen tech giants, including Google, Microsoft and Facebook, agreed to donate $100,000 a year for three years to help fund open-source software programs, starting with OpenSSL.
According to OpenSSL team member Steve Marquess, various funding projects have allowed the team to dedicate to key members to work full time on OpenSSL issues.
“Two full time positions is still less than we’d like and less than what I think is necessary,” Marquess told Global News. “Ideally I’d like to see a half-dozen dedicated resources.”
Marquess said thanks to donations from multiple sources, including tech companies like Smartisan, Nokia and Huawei, the team was able to finance a third full-time position for OpenSSL.
“Following our recent first ever face-to-face team meeting, the team decided on a comprehensive plan for systematic overhaul and improvement of the OpenSSL code base. That effort will be occupying much of our time in 2015, and would not be possible without these new manpower resources,” he said.
But cyber security expert Chris Parsons said while the addition of full time developers working on OpenSSL is a welcomed development, it won’t necessarily prevent another Heartbleed from happening.
“OpenSSL and programs like it are critical infrastructure – putting more eyes on it can only help,” Parsons said. “But just because they hired more people doesn’t mean there will ever be another mistake again. Mistakes could easily happen in the future.”
Users need to take matters into their own hands
Parsons warned that the fallout from Heartbleed may not be over for web users.
We still don’t know just how much information was stolen or accessed as a result of the bug. Stolen login credentials and user information is likely to be leaked by hackers, putting users at risk for additional hacks.
The problem is hackers could leak this information at any time.
“If logins and passwords were successfully extracted – and I’m willing to say 99.9 per cent of people haven’t changed all of their passwords – people still could be affected,” he said.
“Even if you change your password the way that you built your new password can be built by hackers and tried against you.”
For our own part, Parsons said users should make sure they apply security patches for web browsers and operating systems as soon as they are available. Additionally, users should practice better password security.
READ MORE: How to create a more secure password
“Always expect at some point, possibly through no fault of your own, you will be compromised,” Parsons warned.
“Then think, ‘What would I do if my personal information was leaked?’ Thinking before these things happen can help you come up with a recovery strategy.”
© 2014 Shaw Media