Tag Archives: hack

Heartbleed for dummies: how it’s dangerous and how it works.

So, you’re hearing a ton about Heartbleed, aka CVE-2014-0160, on social media and news outlets. Most of you are going, “Meh, I don’t know what it is, so it can’t be THAT dangerous.”

Ordinarily, you’d be right, most bugs affect a very small population of specific users, and there isn’t much you can do about it as a layman. You can run anti-virus, and anti-malware, not open suspicious links, etc, etc. to avoid getting bitten. However, with this one, it’s a devilishly simple and clever hack, that you risk every account on every service you have, especially if you use the same password for multiple sites.

So here’s what Heartbleed is, and how it works, in layman’s terms.

This part is complete hyperbole, and just an example- I’ll explain in more detail once you have gotten the idea.

So. You have probably seen banks or some online service that link to your credit card or bank account that needs to verify your bank information. In this case I mean completely legitimate stuff, like say direct deposit verification, or refund info, etc….real world reasons to verify your bank account type stuff. One way they do this is to deposit a few cents into your account and have you tell them what it is, and then they withdraw that amount back out. It’s usually a semi-random amount less than a dollar, like $0.12 or $0.47…but could be up to $0.99. So in this analogy, Heartbleed would be a flaw in the way that works.

Let’s say a certain bank is old fashioned, and they do things with paper and cash and envelopes and such. If someone want to verify your account, they bring an envelope with a small amount of change in it, and deposit it to your account. The bank requires that the envelope contains: your name, account number, and amount inside the envelope. The envelope is handed to a teller, who reads off the info from the envelope and enters it into your account and hands the envelope to the banker to deposit it in the safe. The banker goes to the safe and opens the envelope, and places the change in the vault with all the other money. The next day the verifier comes back, and withdraws the same amount as entered by the teller. The teller pulls the change from his drawer, puts it into an envelope and again, puts your name, account number and amount inside it and hands it to the verifier.

 

Now….do you see the flaw? It’s subtle, and easily overlooked. The banker nor the teller ever verify the amount in the envelope is what was written on the envelope. So a trickster can write $0.99 on the envelope and put in a penny, and nobody ever sees the issue until someone does an audit. This is done thousands of times a day, hour, minute, even a second…you can see where this would add up to a bank robbery.

OpenSSL is like that bank. It’s job is not necessarily to protect your deposits, but rather your data. Any time you put a web address into a browser, and it has the httpS:// instead of http://, you are using a (supposedly) encrypted communication.

For a verrrry simple explanation of how this encryption works, think back to your days of being a second grader and using a decoder ring to send secret messages. (Or if you never did that, just imagine someone who did…because we really existed.)

In order to send a message, you and the person you’re sending it to have to share a way to encode/decode a message. Maybe it was the old A=1 B=2 Z=26, code, or maybe you actually devised a three step lost key cipher that used pages from library books and transcribed in Dwarfish runes. Either way, the gist was you and the other person had to know the secret code to decipher. With0ut that knowledge, anyone could find your messages, but be unable to read them. The web does NOT work this way. It sends plain text, so if someone puts a “packet sniffer” on the connection between you and the site that you’re going to, they can read every letter you type and see everything they send back. To prevent that “sniffing”, you have to use Encryption. That’s the whole point to SSL.

So, when you go to the banks webpage, or email, or FB, or whatever needs to be secure communications, you generally connect SSL. SSL disconnects after a few minutes if you don’t use it. That’s why you’ll get messages if you sit at your banks webpage too long after logging in. The heartbeat is simply: “I’m going to say a message, please repeat my message back to me to prove we’re both still awake.”

So, this is where the bug lives. The trick is like the bank teller scenario above. When a heartbeat is sent from your computer to the remote computer, you send a “packet”. That packet is essentially a file, with data in the file, and metadata describing the file. It’s kind of like the headers in your email- there’s the email itself, and the headers (aka metadata) describes who it’s from, roughly what’s in it, and how big it is. Here’s how the conversation goes, in computer-speak…

ME: Yo, gmail. (BTW, this message is only seven letters)
GMail: Hey there you! Would you like to read your email? (BTW, my message is 33 letters!)
ME: Sure do! (BTW, my message is six letters)
GM: Okay, I need your secret password. But don’t say it out loud…today we’re going to speak Klingon as our secret language! (BTW, this message is 93 letters)
ME: Qa’PlaH!(BTW my message is six letters.)

So at this point, the rest of everything we do is in Klingon, and unless you know a.) how to speak Klingon, and b.) that we’ve even decided on speaking in Klingon, you have no way of knowing what we’re saying.

Now, at the same time I’m speaking to gmail, thousands of other people are doing it, too. So our conversations are constantly being intermingled in the memory of the server. The server can’t *think* in Klingon, so things are stored as regular text. They’re all properly parsed and sent to the right person, so there’s never any security problems with how that works. The problem is that heartbeat check.

THIEF: Yo, gmail. (BTW, this message is only seven letters)
GMail: Hey there you! Would you like to read your email? (BTW, my message is 33 letters!)
THF: Not today. Just doing some testing. (BTW, this message is 28 letters long.)
GM: OK! (BTW, this message is two letters)
THF: Gmail, I’m going to send a heartbeat message in a second….when I do, just repeat back exactly what I said. OK? (BTW, This was 81 letters)
GM: OK! (BTW, This message is two letters)
THF: Heartbeat!!! (BTW, this message is …um, well….uh…514 letters. Yeah…that’s the ticket! 514 letters…)
GM: OK! The last 514 letters you sent me were: “HEARTBEAT!! >> <<user12363::lue. That was it. The boat was blu…>><<user524211::find my next email with boo…>> <<User64632::Pen1s enlargement! P1ll5! P3N1S P1lls!!…>><<user43567:: ame:janesmith@gmail.com password:superspyfarts: Login succ…….>><<: user424467::Bob, Alice, and Ted….>><<user63521::Boobies!All the boobies you can stand just click here!!1!…>><<user534143::Amazon receipt for Penis Enlargement pump for Jeff Gordon IV, at 101 Masker Ct, Zionsville, IN……>><<user000010:: Mr. Vice President, with all due respect, please remove your foot from my ass. It’s not…..>><<user0003::and can you believe what Jessica said about Clarissa!? OMG it was soo totally…>>”
THF:Excellent. Now…could you do that a million times in a row for me?(BTW, this message was, oh, let’s say a million letters)
GM: Can do!!!(BTW, this message was five letters.)

And viola- do this enough times, and you can get all SORTS of info. Passwords, bank account info, pictures that you only meant for a significant other, etc.

The fix is simply to make sure that SSL checks that the message sent was actually as big as it was said to be. An easy fix, but embedded so deep in the software that nobody recognized it as a threat. The thief here isn’t stealing pennies- they are stealing data. And then data can be used to steal dollars….by the millions.

So, long story short, you need to CHANGE YOUR PASSWORDS, on any site that used OpenSSL. Don’t know if you were exposed?

Mashable has a less than complete list, and

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
here is a site that can scan if a site is still vulnerable.

http://filippo.io/Heartbleed/

Hacked, but just a little…

TL;DR : I got hacked. Fixed it quick. Got cool new toys from the hacker in the process.

So…

One of the pages I hosted for some friends (a Cub Scout pack page that had long since expired…) had an unsecured file. Total oversight, it was an old version of WordPress and it left a password in plain text, for a user that had superuser mysql rights. That account was compromised, and that compromised the entire mysql db, obviously. So, I took down wordpress on this page to allow for cleanup. I am planning on moving this page to AWS in the very near future, but I just hadn’t gotten around to it.

Back in November, someone did a clever scan, and found it.  Clever, becaus ethe site isn’t even running.  The DN had long since expired with the registrar. I guess they got the IP from an old cache page or something.

They were sending out phishing scams for itunes.fr for a few hours. I shut it down, but in the process, found that the hacker had uploaded their hacking toolkit. So, long story short, I got some cool tools that I never would have found on my own to security test. Now I can run them against my servers and feel fairly confident that all my shit is squared away. And maybe have some fun at someone else’s expense :)

Akismet, my new hero.

I finally got around to paying more attention to my blog. Updating the resume…adding a post or two…proofreading others to make corrections…looking into some new plugins for WordPress….etc.

One of the most annoying things to deal with was the comment spam. In three months I had accumulated 15,000 pieces of it. There’s only about 2,000 people who have actually visited my blog thus far. Ever. (Thanks, Google Analytics!) But, since I’m really not on here all that often (something I’m trying to improve on…) I really hadn’t paid attention to the spam. I have all comments require moderation, so they weren’t flooding my site- I just have to go on every couple of months, glance through the posted commented on to see if there are any real comments (there aren’t) and run a SQL command to manually clear the crap.

I would like to know if there are any actual comments in the future, and see if anyone has anything useful to say, or even a useless comment, but one that was made by an actual person instead of a bot quoting random sentences from random books in an attempt to look Turing-complete. Thus, I configured Akismet this evening, and it’s already flagged crap as spam and shuffled it off to the spam folder, which is much easier to empty- no SQL commands into the void.

So long story short, and I’m sure old news to the vast majority of bloggers, Akismet makes me smile just a little more than I was yesterday. Thanks, devs!