The Heartbleed Bug, gone in a heartbeat.

There is a hole in the heart of Internet security which has the potential to expose countless encrypted transactions.  It’s been named the Heartbleed Bug.  The bug was accidentally incorporated into OpenSSL in late 2011.  OpenSSL is an open source library that many software developers use to implement SSL/TLS encryption to provide security and privacy for communications over the Internet.

So how does it work?

When you connect to a secure Internet site to access your email, social media account, or Internet banking, the server you connect to will send back what is called a ‘heartbeat’, and just like your heartbeat it is how your computer and the server stay connected whilst you are logged in.  This heartbeat is used so that the server knows that you are still there and wishing to connect to your online account.  Once you log out this heartbeat stops meaning the server then knows that there should no longer be a connection and so your online account is no longer accessible.

The heartbeat is a very small message, but by using the bug an attacker may be able to get access to more of the memory of the web server than it should, and this memory may contain sensitive information useful to an attacker.  This might include usernames and passwords, session keys or even the web server’s private key.

So am I affected and what should I do?

This is a hard question to answer.  If your web site uses an old version of OpenSSL, then they are not affected.  Even if they do use the vulnerable version of OpenSSL, it would require an attacker to be using the bug at exactly the time you are using the site to be able to grab your credentials.  The best we can say is that it’s possible that you have been directly or indirectly affected.  Unfortunately the Heartbleed bug leaves no trace of exploitation, so you are unable to see if it has been used against you.

The best thing for us all to do is change our passwords if our provider tells us that they were exploited.  It might even be a good idea just to change all those old passwords that you’ve been using for years, just in case.  Here are some tips for creating a secure password:

·         Be a minimum of 8 characters long
·         Use upper and lower case letters
·         Substitute numbers or symbols for letters
·         Do not use simple personal information (i.e birthdays, kids names, pet names)
·         If you keep a written copy of your passwords use and encrypted method of accessing them, not a note in your wallet.
·         An easy thing to remember is a phrase, try abbreviating the phrase and using each of the first letters as your password. Using numbers can help make this harder to guess.

The OpenSSL team have created a fix and this is being rolled out across the Internet to correct the bug.

How can I find out if my website is affected?

A useful tool to check the configuration of your Internet provider is https://www.ssllabs.com/ssltest/

I would like more information of Heartbleed and its effects.

Here are some of places to look for more information.

Providing detailed information of Heatbleed and detailed Q&A

The Heartbleed Hit List: The Passwords You Need to Change Right Now
How Heartbleed Works: The Code Behind the Internet'sSecurity Nightmare

Sarah Taylor
www.cqr.com

Balkanization of the Internet

There have been a number of well-known information security personalities who have been publicly saying that the revelations the capabilities of national governments to undertake wholesale surveillance of the Internet will lead to its Balkanization.  If you believe the hype, the Internet will fragment and become less well connected as we all pull back in fear of everyone else's big brother.

I just don't believe it.  There are two really good reasons why this won't happen.

Firstly, all evidence suggests that we really don't mind about mass surveillance.  In 2006 the United Kingdom was described as being the most surveilled country among the West.  Since 2001 the USA has spent untold billions conducting illegal electronic surveillance on its own citizens, as well as doing its best to have a live packet capture of the entire Internet.  In a Western democracy, if we don't like what the government is doing, we can vote them out.  Not only have we not voted them out, we have year-on-year given them even more power.

This is not to say that these are good things, nor that one day we might say that enough is enough and reel the power back in, but it isn't going to happen in 2014, and may not happen for another generation.

Secondly, the Internet really is trans-national, and outside the control of any one country.  It was originally designed by the technical elite, without any consideration of governance.  It is now run primarily for the benefit of the business elite, who don't want governance as it may get in the way of their business models.  Any attempt to Balkanize the Internet, or set up controlling choke points will be worked around using both technical and business controls.  It is far too late to be trying to set up Internet borders and passport security.

This on the other hand is generally a good thing.  All the repressive regimes on the planet have done everything they can to limit Internet access, and they have universally failed.  The smarter ones have moved back to surveillance rather than control.

Within the next year or so, I strongly predict that the Internet will go through a phase-change from default clear-text to default encrypted, and the state security agencies will wring their hands and weep into their budgets.  But the rest of us will get on with our lives and use the Internet for what it was designed - porn and funny cats.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com 

PRISM splits the Red from the Blue

It has recently been reported that the NSA has a classified electronic surveillance system called PRISM, that has been systematically and wholesale vacuuming up information on Internet users.  The vast majority of the data comes from Yahoo, Google and Microsoft.

I'm shocked, stunned, and more than a little amazed.

Not that they are doing it of course, as Blind Freddy could see that it was going to happen.  I'm shocked, stunned, and more than a little amazed at the people who are surprised by this, and are suffering a fit of moral indignation.

We live in a world of pervasive electronic surveillance.  From satellites mapping the globe, to Google cars collecting photographs and WiFi traffic, to CCTV cameras in every major city with active face recognition, to the supermarket loyalty card you use for a discount, to your friends and family posting your every move on Facebook, and finally to governments snooping on the Internet.  We can have heated discussions about whether this should be, and what it means, but the horse has well and truly bolted.

This is not new.  This is not unexpected.  This is not a surprise.  Mostly we did it to ourselves.  The real question is what are we going to do going forward, and this is something we do have a choice about.

The providers that are reported to be the major source of information are the free e-mail services, the ones that already data-mine your e-mail to serve you targeted adverts.  As you didn't pay for the service you are not their clients, you are their product - they sell your eyeballs.

If you want to take back control, choose to use a different provider.  If you want to make it harder to be snooped on, choose to always use encryption.  It might be impractical to go completely off the net, but you can choose to not make it easy.  Or you can choose to keep the benefits you have at the cost of your privacy.

Security is your choice.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com

Mandatory Data Breach Notification

The Australian Government has just announced that mandatory data breach notification laws will commence in March 2014.  This is an excellent start, and the Government is to be congratulated on the initiative.  I'm not normally one to promote more "cyber" legislation to cover new implementations of old crimes, but this really is a new type of crime for which no existing legislation adequately applies.

We've had identity theft for as long as we've had scammers, but in the pre-Internet world this was done one at a time, and required local knowledge and a lot of effort.  But now it can be done wholesale, from anywhere, to anyone, for nearly no cost.  And this is happening every day.

So how will mandatory data breach notification help?  It won't make us any more successful in prosecuting the attackers, so it won't reduce the number of attacks.  It has nothing to do with helping the people who are the subject of identity theft, so it won't reduce the impact of the crime.

 
Today the only sensible approach to take for any company that has a data spill is to cover it up.  There is no possible positive outcome from telling anyone, and a significant likely negative outcome in terms of reputation damage, share price reduction and loss of market confidence.  So this just looks like more victim blaming.

The real point is to make businesses care about security.  If they know that they will be named and shamed, they are more likely to take the necessary steps to not be breached, and therefore reduce the number of actual breaches, and so reduce the impact on the Australian people.  Raising the cost to the attackers is a win for everyone.

Better security is an investment in the future, not a cost to be minimised.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com 

The Law of the Internet

I've spoken to a number of journalists over the last few weeks who have all posited some variation of the simple question: "Don't national governments have the right to govern the Internet?"  While it is a simple question, it doesn't have a simple answer, and perhaps not for the reason that many people think.

There are many technology activists who see cyberspace as the first truly transnational place: where the existing rules don't apply, and a new set of rules - better rules - can take their place; where we can leave meatspace behind and become a meritocracy of the mind.  I strongly recommend reading "Snow Crash" by Neal Stephenson to get a sense of it.

I believe that there are three fundamental problems with this approach: (1) the Internet isn't a place; (2) we don't yet live in a futuristic dystopian civilisation; and (3) the Internet was not designed.  It's the last problem that causes all the angst.

If the Internet had been designed by governments, rather than organically grown by technologists, it wouldn't look anything like what we see today.  There would be the controls that national governments want, but there almost certainly wouldn't have been the flourishing of our society that connectedness has brought us.  If you want a real example of this, look at the Internet of DPRK, or the Great Firewall of China.  Then imagine each of these interconnected with deep packet inspection borders to mimic the physical borders we have today.  There would even likely be Internet passports to allow transit.

But it wasn't designed, and the law-makers were slow coming to the party.  By the time they noticed it was largely too late.  As John Gilmore famously said in 1993: "The Net interprets censorship as damage and routes around it."  It was too late in 1993, and it's way too late in 2013.

Does this mean that the netizens have won, and society as we know it will necessarily fall?

Of course not.  The problems that the Internet brings are the same problems that all societies have had over all of human history.  The links are just faster, and the people vastly more connected.  In the past if someone wanted a business to pay protection money they had to send a hard-man to bully the owners and do a little damage.  There was always the possibility of injury, arrest and incarceration.  Today they DDOS their website, with no possibility of injury, and almost no chance of getting caught.

But the crime is the same.  And the laws to deal with the physical crime are already on the books.

Governments can and should govern the Internet, but they can't control it.  Governing requires the consent of the governed.  Control requires technology.

The Internet is a people problem.  Until national governments realise this, they have no chance.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com 

Printing to the Internet

You've deployed a brand new networked printer, and after getting it all set up and working, what's the next step?  How about connecting it to the public Internet.  So that anyone, anywhere, at any time can print anything they want and waste all your paper and toner.

Madness you say!  Not it would seem in universities in Taiwan, Korea and Japan.

A little Google hacking and we have 31 internet connected Fuji Xerox printers.  Some of them have public IP addresses, but many of them have been actively published through a NAT firewall.  So this was a conscious choice!

Perhaps it's just a clever way for attackers to exfiltrate data, but I've learned not to attribute to malice that which is better explained by incompetence.

Here's my advice: If you want to print to a work printer from home, this is not the way to do it.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com