And yet
No one has demonstrated actually retrieving cryptographic keys using Heartbeat.
Call of Duty: Black Ops II appears to have been compromised using the now infamous Heartbleed exploit, according to security researchers. The Heartbleed security bug is a simple example of memory leakage through an overflow vulnerability in the Heartbeat component of OpenSSL. Bits of memory in 64 kilobyte chunks may be …
Plain text can be pretty obvious to spot within any memory dump but I am not so sure about binary data. Those saying they can see critical data (keys, certificates, etc) being leaked probably recognise that because it's their data no matter where it appears. I do wonder how easy it is to find meaningful binary data in a random 64K block when you don't know what that data is?
There was one, fairly rational comment I read that if the spooks had cottoned on to this, they could have been harvesting for a while...
Then I read the nice El Reg C-code analysis and incompetence seems pretty favoured, although I am still changing all the keys and locks....
P.
"The flaw is potentially among the most damaging ever to surface on the web but there's been little evidence that it has been widely exploited so far - leading some security experts to say it's been overblown"
The media has severely sensationalized this. The actual compromised data can range from "move along, nothing to see here" to "hide your kids, hide your wife, hide your husband"*. For the majority of the people seeing the reports (read: non-technical people), they are receiving the message that "The world is collapsing and nothing is safe. You have been compromised, change all of your passwords, PINs, combination locks, dead bolts, alarm clocks, dog's name, etc"
Yes, the *potential* for your secure data to be compromised is there, but most likely, the majority of people are just fine. It's hard to imagine that if this particular exploit was in wide use in the "hackers" underground that it wouldn't have surfaced much sooner. Think about it: the main thing the crooks want are usernames, passwords, credit cards, etc. If they've compromised those, I think you would have noticed before now.
It doesn't mean the IT departments around the globe shouldn't have due diligence patching what they can (at a minimum the OpenSSL libraries and rekeying SSL certificates where feasible), but it's not exactly "the sky is falling" scenario that is being presented.
* http://youtu.be/EzNhaLUT520?t=59s
I imagine the marketing depts of Microsoft will be very busy right now writing up interesting discussions of "how much more secure" open-source software is, in particular the problem with something being freely available and so being incorporated in so many many diverse systems.
Of course they'll wait a while before starting any crowing...
The problem is Justin that you don't know if your data/security has been compromised so therefore you have to assume the worst. When I read about the flaw I was interested then I looked at the logs on my NAS server which has https access and provides my OpenVPN endpoint. There before me was the evidence that script kiddies were out trying to get data. I could see over several minutes 1 request every 5 seconds to port 443 from the same IP listed as belonging to RackSpace in the US. Given the number of attempts I figured the box must be spewing shit back or the script would have moved on. I therefore checked the OpenSSL version and low and behold it was running a flawed version. At this point I stopped the port forwarding for web and VPN services until a suitable update comes through for the unit (it's a QNAP). I'm now also looking at dd-wrt or gargoyle flashing the router to get it providing the endpoint for VPN once I'm sure the firmware is secure. I am guessing that as OpenVPN uses OpenSSL I'd have been just as vulnerable on the VPN side if my router was the endpoint as the NAS doing it. The SSL connection may never go back on.
Don't underestimate this, it is a very big problem and the fact that you have no idea what an attacker got just adds to the uncertainty.
I understand that the potential risk is there (and theoretically everyone COULD have already had their information exploited) and there's know what to know for sure, but the problem is the media is essentially going straight to the "doomsday" scenario when the odds are it's not nearly that extreme. However, now that world+dog knows about the exploit, I'm sure a lot more attempts are being made to capitalize on it (as evidenced by other sites mentioned by another ElReg article).
I'm not saying it would be a bad idea to change critical passwords for the sites you access, but once the majority of the big providers have patched their servers, a lot of this will blow over and the majority of people will be unaffected, IMO.
Agree regarding the media and password changing. I thought myself, and have also seen other articles confirming it, that a lot of sites may not be patched so going straight out and changing everything may not be wise as you may be changing a safe password and getting the new one hoovered up. On this front the LastPass security check has proved handy.
From The Smoking Gun:
FBI Arrests Trio For Microsoft Xbox Hacking
Feds: Men also stole pre-release video games during intrusions
APRIL 10--A group of alleged hackers has been charged with breaking into the computer systems of the U.S Army, Microsoft, and several other firms to steal pre-release copies of popular video games like “Call of Duty,” simulation software for Apache attack helicopter pilots, and confidential data that was used to create counterfeit versions of the Xbox gaming system, The Smoking Gun has learned.
This was going on since at least early 2011, and goes a lot deeper than a CoD hack.
And they also made up counterfeit working "next-gen" X-box consoles, sold one on eBay for $5000. Imagine if they had just sold the info to the Russian or Chinese counterfeiters. MS sure ducked one there.
*assuming this is the same CoD-related hacking and not just a much uglier, much larger one.
There are other ways of hacking servers than the Heartbleed bug. That's the problem with the whole CoD thing, there's nothing at all which suggests it was done with the Heartbleed bug and not, say, guessing a weak password or any of the myriad other ways which exist to hack servers.
What interests me in this debate that it reopens another - the "Y2K=Y2meh" one.
And the fascinating thing about that second debate is that the thinking generally shown echoes the same line of reasoning that has certain people refusing to inoculate their kids in NYC because "no-one gets that any more".
And the thing about that which is rather horrifying is that as a direct result we now have a population of children in NYC with Whooping Cough, a disease we had firmly under control in the western world by the mid-1960s*.
The thing about Y2K that bears remembering is that the reason there wasn't a "real problem" is that thousands of people worked hard to mitigate the issues (there was more than one aspect to the Y2K issue, but people usually don't know that because they fixate on the obvious)**.
*I remember as a kid in the UK hearing about neighbour's kids who caught Whooping Cough, then, when I was about eight the stories just stopped happening.
**And the thing to remember about *that* is that even though the ATMs still worked on January 1st, the automated doors to the ATM vestibule often didn't. But people were so busy yelling "damp squib!" these could be quietly addressed in the following weeks.
Ummm, is this just that thing where the game name was changed on Steam?
Here's a possibility for everyone... Maybe someone who had an authorised developer account simply did it to make a point, or to raise the profile of the game's name.
As far as I have gathered, only one publisher has been effected, and only 2 or 3 games. Certainly a good way to raise the profile of your game's title - the entire internet is talking about CoD now.