On April 8, one of the most pernicious bugs to ever strike the Internet made the news — the Heartbleed Bug. A vulnerability in the ubiquitous OpenSSL library, it can be used to obtain login user names, passwords, credit card information, application source code, and encryption keys – anything that may exist in server memory. Millions of sites, applications, and network devices were affected, including major names like Yahoo!, Google Gmail, Instagram, Netflix, Cisco, and Dropbox. And because the afflicted OpenSSL library was released in March 2012, the vulnerability has been open to exploitation for more than two years – it was only recently discovered by those willing to disclose it.
Pretty scary stuff. Heartbleed could be considered the largest Internet security flaw in decades. If you’d like to learn more details about how it works, I’d suggesting checking this FAQ; but right now let’s talk about how it was discovered, who discovered it, and what it says about our industry.
The bug was discovered by two parties. The first was Neel Mehta of Google Security, who reported it to the OpenSSL team. The second was a team of security engineers at Codenomicon, who found the bug while improving the SafeGuard feature in its Defensics security testing tools. The discovery was mostly accidental; the SafeGuard feature of the Codenomicon’s Defensics security test tools automatically tests the target system for weaknesses that compromise integrity, privacy or safety. It’s intended to expose failed cryptographic certificate checks, privacy leaks or authentication weaknesses.
While the team could have exploited the bug, Codenomicon instead reported this bug to The National Cyber Security Centre Finland (NCSC-FI). NCSC-FI reached out to the authors of OpenSSL, along with software, operating system and appliance vendors. There were other behind-the-scenes notifications that took place before the vulnerability was disclosed publicly, however, the information sharing was done under embargo and the involved parties wanted to ensure there was a remedy in place prior to public knowledge.
As profound and impactful as the Heartbleed story has been, it reflects an everyday fact of life with technology: Vulnerabilities are a regular part of information security. So are the people who discover them. Whether it’s an independent security researcher sniffing out the vulnerabilities in a web application, or a legitimate security professional as in this case, many vulnerabilities are discovered by people acting out of genuine good will. Yet many of them are too intimidated by the potential legal consequences, including jail terms and fines, to contact the organization directly. As a result, many feel safer making a public and anonymous disclosure, or contacting a third party. There are countless unknown security vulnerabilities that exist in production technology and applications today. Out of those, how many have been discovered? How many have been disclosed? Think about that.
A model gaining increasing popularity is called Responsible Disclosure, in which all stakeholders agree to a grace period that allows an organization to remediate a vulnerability before the details go public. Often these take the form of Bug Bounty programs (I’ve written about them for SecurityWeek) which not only grant researchers permission to find vulnerabilities but also reward them for disclosing them in a discreet and ethical manner. It’s a win-win for both parties, as researchers are incentivized to find unknown vulnerabilities and report them privately before a malicious attacker discovers them. Some of the biggest names in the industry, including Microsoft, Google, IBM, Salesforce and Facebook, have active bug bounty programs according to Bugcrowd.com.
As for Heartbleed, a new, secure version of OpenSSL was released, and most affected organizations have updated their servers and patched the vulnerability. Vulnerabilities and the people who discover them will always be a part of the security landscape – and by making disclosure a less intimidating process, we open the door to a safer and more responsible IT world.