The cybersecurity firm that discovered the so-called Heartbleed bug, a gaping hole in the most widely used software privacy and security software on the Internet, said the flaw went undetected for two years because of the large amount of intensive work it takes to manually test encryption software.
The key to finding Heartbleed, Codenomicon CEO David Chartier told International Business Times, was developing a way to automatically test encryption software for vulnerabilities.
“We attack the software with unexpected messages and see how it reacts,” Chartier said. “When you do this, you can find messages or characters or something that causes the system you’re testing to crash. This is the building block of software vulnerabilities that can be exploited.”
The discovery of Heartbleed highlights how there will always be new ways for cybercriminals to break through digital security systems. As we continue to store an increasing amount of valuable information online, the incentive for hackers to find these security flaws grows, making it increasingly important for companies to develop ways to find software vulnerabilities before the bad guys do.
“It’s a growing trend in the [Information Technology] security world to thoroughly test and vet software,” Chartier said. His team discovered Heartbleed about the same time Google Inc. (NASDAQ: GOOG) did, and he felt it was important enough to make the general public aware of the serious threat the bug poses, as that would encourage companies to update their servers.
The Heartbleed bug exists within a feature of OpenSSL, a cryptography library used by Internet servers to protect websites with passwords. It's also used to encrypt private information, including emails, documents and instant messages. A hacker could exploit this feature to trick a server into giving up information in its memory, which often includes the keys needed to decrypt private information, and the action would never be detected. OpenSSL security is used by servers that host an estimated 66 percent of the active websites in the world, meaning Heartbleed impacts almost every website you use.
For this reason, Codenomicon went after OpenSSL once it developed a tool for testing encryption and password programs. Even Codenomicon uses programs powered by OpenSSL to secure its information, so the company targeted its own infrastructure.
When the team came across Heartbleed, it got the company's server to dump decryption keys, usernames, passwords and private documents. Codenomicon shared the findings with the OpenSSL community, which published a security alert and a patch on Monday.
“Those [alerts] tend to be bare-bones and don’t tell people how important they are,” Chartier said. “So many come out every day, it’s difficult to see which ones are important and which ones are not. We wanted to make the Internet safer by spreading the word.”
With a striking name and dedicated website, Heartbleed quickly spread through the cybersecurity community before reaching the tech media and then major mass media outlets. The attention encouraged security professionals from many major companies to aggressively upgrade their systems and issue new encryption keys.
Codenomicon encouraged network administrators to deploy “honeypots” that entrap hackers and alert them when an attempt to exploit Heartbleed is made. None of have been reported yet, but the undetectable nature of Heartbleed means that the only safe course is to assume an attack already occurred.
“There is such a large number of machines using OpenSSL, it will take a while for everyone to update,” Chartier said, meaning that a major data breach thanks to Heartbleed is only a matter of time.
While patching servers is in the hands of IT professionals, everyday Internet users still have a large role to play to protect the Internet from Heartbleed and future security flaws. By contacting Internet services and asking if their OpenSSL has been upgraded, customers can pressure companies to ensure that their security measures are up to date.
Even if a company has already patched its server, a hacker could have already infiltrated it and absconded with the keys. Resetting passwords should be an important part of this year’s spring cleaning chores.