The press coverage for Heartbleed has come and gone, and it seems like the public has missed the message. Brett takes a step back to glance at the bigger picture of a world that authenticates based on what we know, and what that means when everyone else knows it, too.
So, are you sick of hearing about Heartbleed yet? Sure, I bet you are. It’s ok, you’re not the only one – the coverage has exhausted me, and I love information security. After reading, seeing and hearing story after story from the major media outlets all the way from CNN to NPR, two things are for sure – your secrets are probably out there, and most people outside of the technorati still don’t know why it matters.
Being a huge security nut, I’ve had more than a couple of people ask me about the Heartbleed vulnerability – what sites it’s affected, what kinds of information it could have given up. Through multiple discussions with people of multiple backgrounds, I’ve come to realize that the media probably should stop talking about it: The explanations by most mainstream outlets has made people less aware of the ramifications, not more. Reporters talk about it like it was an attack by hackers, which does a tremendous disservice as we can’t say what data was stolen, by whom and from where. It quickly went from the most pivotal threat of our digital age to background noise.
A big part of this can be credited to the fact that it was patched in a virtual instant. This extremely timely response can be considered a gold star for the open-source community, which immediately began submitting code changes to the SSL standard. I’d hate to think of what might have been if this were a privately owned piece of software with no public scrutiny of the source, like Windows or OS X.
But the biggest reason for it to fade so quickly is the lack of identifiable damage. It’s not flashy to say “Something unknown may have been stolen from everywhere,” and no, we can’t say for sure what, if anything, was taken. But that’s ignoring the fact that this vulnerability has been in existence on most mainstream servers for over two years. And we can’t identify what was taken because the vulnerability leaves no record of its use – there is no special footprint, no signature, no telltale sign.
Heartbleed wasn’t an attack, and it’s not just a vulnerability. It’s the very definition of what nobody wants to remember about the online world:
There is only ONE Internet.
Heartbleed .. is one of many constant reminders of the fact that information security is a game of best practices that’s not unlike a Rogue-like or endless runner.
Readers of Penny Arcade will instantly recognize this as a quote from Jerry Holkins (a.k.a. Tycho), but it seems that the rest of the ‘Net (a.k.a. the general public at large) seems to have missed it.
Why is it important? Because Heartbleed, much like Edward Snowden, Anonymous, Facebook and many before, is one of many constant reminders of the fact that information security is a game of best practices that’s not unlike a Rogue-like or endless runner. You can’t ever let your guard down and eventually, you WILL lose. Sometimes, it won’t even be your fault. Because there are a LOT of people and servers and frameworks and systems that all have to be functioning perfectly, but:
There is ONLY ONE Internet.
After the Heartbleed release, did you think to change your passwords to your accounts? Did you remind any of your less technical friends to do the same? Did your email, banking or communications sites request or suggest you do? None of mine did. Two credit card companies, three email hosts, a major investment banking house, a bank and two retailers that store credit card info. None of them.
The largest security failing in the history of the Internet was found, with vastly far-reaching implications depending on the particular memory dump that a participant received (including the possibility to dump passwords, account verification questions, etc), and most of the world at large gave a big shrug and said “Meh.” Because no companies which have invested billions on digital infrastructure want you to be reminded that:
THERE IS ONLY ONE INTERNET.
So we know that this vulnerability existed, and we know that potentially we could be looking at breaches of everything from what your first pet’s name was to the entire private key of the server that you were logged into. Now is a good time to reflect on what of this is actually information vs. useless data. See, in business, we collect MASSIVE amounts of data – but very little of it is useful. Part of what sets you apart in the world of business is learning how to sort out what you need to know from what there is to know. For something to be information, it has to be a couple of things: Relevant to making a decision, and timely enough to assist you in making it.
Things like your dog’s name are likely treated as data that got passed over – particularly if the collector didn’t get everything that could make it useful, like the account name that went with that question. But what if it was a moment that you were filling out your questions? An account name and all the security questions to go with it can be a great piece of information to stash on the side. Most websites ask the same security questions, and most people use consistent usernames – if you can get them from one place, you can get access other places as well. Because though it’s made up of countless different sites:
THERE IS ONLY ONE INTERNET.
The big fish that an attacker would hope to land, of course, is the private key of the server itself. A quick, simplified (read: Not entirely accurate, but fixing to make it right is more explanation than it’s worth) refresher on HTTPS/TLS validation – each time you visit an HTTPS webpage, the server sends you its certificate, which is essentially its public key. Your browser checks to see the certificate matches up (and, if possible, verifies with a third party record), and sends back a secret cipher key that is encrypted with the server’s public key. The server receives this, uses its private key to decrypt the new secret cipher key, and both sides then use that secret cipher key to encrypt everything in the session going forward.
That means that if an attacker lands the private key, the attacker can decrypt any one of those secret cipher keys. Now, everything in any conversation with the server just became plain text. All of the encoding variables that establish the communication can be read, as well as any of the data in the communication (including passwords, credit card numbers, etc). This isn’t just for one account or one session – this is ANY communication with the server. Rather than worrying about breaking in to steal a database file and try to break hashes hoping to get something useful, an attacker can instead just sit back and sniff any and all data being sent to the IP address, because:
THERE IS ONLY ONE INTERNET.
Are you starting to see the severity of the problem yet?
No matter how hard we want to trust that the information we submit online can be private, secure or anonymous, it’s time that we take stock as a culture and as people. The information we put out there, the way we are identifying ourselves for access to it and the way we are securing that identity needs re-thought. This can’t be based on a cost/benefit or expected to be paid for by businesses, and it can’t just be set aside for the open source community to deal with when they have time.
Big-data systems like Hadoop are freely available and can analyze huge datasets that up until even just a couple of years ago we never even thought possible. Cloud computing like Amazon’s EC2 and even networks of graphics cards like the NVIDIA TITAN are insignificant cost compared to their strength, giving us an amazing amount of processing power to chew through that data. The computing power used to break the algorithms is growing at an exponentially faster rate than the complexity of the algorithms themselves are growing. Without a major breakthrough, current cryptography is fast becoming a short-term stall tactic instead of a security method.
The information we put out there, the way we are identifying ourselves for access to it and the way we are securing that identity needs re-thought.
Granted, this probably should have been foreseen. The word Crypto gets its roots from the greek word kruptos, which means “to hide.” Hidden does not mean it doesn’t exist, and if it exists somewhere that people can find it, odds are that it will be found. It does not mean “to secure” or “to protect,” it means “hide” or “obscure.” And any security researcher on earth will tell you, security by obscurity is not security at all.
Now, this doesn’t mean crypto and security practices are a waste of time – quite the opposite. But cryptography as a concept needs a breakthrough akin to quantum computing to go it alone for much longer. The “password” as we know it is dying a fast death, and public key cryptography can only be as secure as we can protect the private keys. In the meantime, to help us identify ourselves and protect all of this stuff, we’re throwing MORE information about ourselves out there – mother’s maiden name, the street we grew up on, our best friend as a kid. This identifying information becomes even more at risk when you realize that many of us are throwing that same information up on Facebook without even thinking of it.
Vulnerabilities like Heartbleed should be reminding us that we need to bring the “Personal” back in Personal Computing, and take a look at what information we really want or need to be quite so instantly accessible, and on what types of devices. User names, passwords and authentication questions test “what we know,” which is only one of three things we can test that includes what we are and what we have. The Internet has quickly become a vast storehouse of data, and we are throwing more and more onto it every second of every day – enough that “what we know” is now out there, and anyone else out there can probably find it with very little effort.
However, the username and password combination came about when computers were not so personal – a household might have one, a business several but often with multiple users. It came before the “Internet of things,” before smartphones, before household cable and DSL allowed persistent, always-on connections. It was a different time then, where you had to know what you were dialing into, know where you were going once you did, and then know what you were looking for when you got there. What you knew included all of those things – a multipart authentication that was much easier to evade than to spoof. Data transmission was slow, unwieldy and costly. We are no longer in those times. We are the Borg – we are all connected, all the time, to one big world of information. Because there is only one Internet.
Suggestions for how to move past our old methods are varied, but they should certainly begin by ditching “what we know” altogether now that there is a giant storehouse of exactly that.
Suggestions for how to move past our old methods are varied, but they should certainly begin by ditching “what we know” altogether now that there is a giant storehouse of exactly that. The security community needs to go back to the tenets and look at what we have and what we are, with the realization that now most any of us who need or want access to things like online banking or online purchasing or even online communication are already walking around with a personal authenticator in the shape of a smartphone. By restricting things to unique devices, we can limit access much more securely. By pushing the burden of authentication to those devices instead of the servers accessible by everyone, we can remove another huge vector. And by limiting access to those devices to multi-factor biometrics, we can protect them further.
Heartbleed was a stab deep into the way we control information currently, but only because the data that spills out can BE information. If all that was obtainable was crap that nobody could really use the moment this session closed, it would be the blip on the radar that people are treating it as. Instead, session data contains authentication that can be used again and again, by anyone, because it’s all “what we know.” It can often be used across sites and across people. It’s like leaving the key to your house taped to the front door.
But in the meantime, it is up to us to best protect ourselves and those around us. If you don’t use a password manager like LastPass, now is the point to go do so. Tell your friends and family to do the same. Change your security questions, change your passwords, enable two-factor authentication and begin to use biometrics on your phone. Don’t sweep this under the rug just because it didn’t make a flashy media story – instead, realize WHY it didn’t make a flashy story and why that is actually much worse for us all.