The Heartbleed -Bug came out of nowhere: On 7th April, the free world stood still for a moment. With the concise words “TLS heartbeat read overrun”, the OpenSSL project reported one of the most serious security failures in the history of the Internet. The bug was fixed immediately, but the aftershoot of this programming weakness will continue for a while.
Sloppiness error ...
The "free" world is not the choice of the political party, but the self-defined definition of the open source community. However, the comparison is not too vague because there are still heated discussions between the advocates of open and transparent software development and those who see "security through obscurity" as a solution
The Heartbleed disaster
Heartbleed, so the name of the programming error, is a classic sloppiness error. "A missing check of the memory's delineation when dealing with the TLS Heartbeat extension can be used to obtain up to 64 kbit from the shared client or server memory," the OpenSSL project describes the vulnerability in the library's security architecture. Affected are versions 1.0.1 and 1.0.2-beta, which have been released since May 2012.
Or maybe intent?
What is so harmless is a serious safety hole. The programming error allows each OpenSSL user to read parts of the main memory of the remote control uncontrolled. The error is in a subordinate function in the software library, which is to check regularly the connection between the two partners of an encrypted connection ("Heartbeat"). For this purpose, she writes a freely selectable number of characters into the memory of the opposite computer and then also receives a number of characters.
Secure passwords
Because the Heartbeat programmer had failed to check the number of characters sent, and only retrieve them, a malicious user can reclaim more characters than he has sent. If it sends only one bit, but requests 64 kbit, it will get a memory tribute from the reserved space of OpenSSL.
This key can now contain keys, passwords and other secret data. The attacker gets this information without leaving any traces on the server, and he can repeat the attack as often as necessary until he gets the hoped-for data. This affects the majority of all servers and almost every user program, which in some way creates encrypted connections. This also applies to your Internet programs such as browsers, mail and chat programs.
Attention: You need to install updated versions as soon as possible - on PCs and laptops, such as routers, smartphones, smart TVs and many other devices and computers. Since you can not be sure that you already have large collections of storage images with your access data on external servers, you should also exchange all important passwords for new ones.
Mistrust has also existed for some time against the standard encryption program Truecrypt. As early as 2010, the blog "Privacy Lover" accused the charge that Truecrypt had a backdoor. It may have been developed by the CIA to facilitate access to confidential information. The reason for his mistrust is that although the code is openly accessible but nothing is known about the developers.
Other details about the encryption tool are also mysterious and opaque. Since April of this year, however, is firmly: Truecrypt is clean. The security company iSec Partners had carried out a code check of central components and found no deliberately installed backdoor, but in many places an insufficient quality of the Truecrypt source code. This can then be used again by hackers. Data forensics like Elcomsoft do it.
Elcomsoft wants to decrypt encrypted containers from PGP, Bitlocker or Truecrypt using memory images. However, the pre-session is that the attacker has access to a computer on which the container file has already been mounted and the password has not been automatically deleted from memory. To do this, the program analyzes the Windows rest state file, where the passwords should be located at a specific location. The same attack also works with the Windows Bitlocker encryption.
The best protection against cracked accounts and data is secure passwords, which you should change regularly.
To avoid losing track of the many passwords, use either a password safe such as Keepass or a personal password system. It is not so difficult to build a password that you can easily remember. Take a sentence that contains words, numbers, and punctuation. This can be funny, so that you can easily remember it ("My wife has two big feet, which I like to kiss on saturday!"). Take the first letter of each word, the number and the punctuation mark, and write it one after the other. This results in the password "MFh2gF, diSgk!" This gives a very secure password.
Caution: In Truecrypt, you can do this by deleting the password in the cache when you are finished, and safely deleting the password in the cache during automatic disconnection. In addition, you should always unmount an encrypted drive when you no longer need it, so it is not loaded in memory. You should also set Auto Disconnect when logging off. This is how the attack works only when the drive is currently loaded. The probability is significantly reduced.
Random or not?
Whether errors are intentionally or by chance in a software, can not be determined afterwards more easily. No accident, however, was the following case of manipulation. The NSA already built a backdoor directly into a standard for the pseudo random number generator Dual EC DRBG (SP800-90) of the US National Institutes of Standards and Technology (NIST). This has now emerged from Snowden documents.
The manipulation, however, did not go undetected before. Shortly after the release of the standard, two Microsoft researchers suggested that a vulnerability in the code could be a targeted backdoor. The standard is, among other things, entered into the encryption function (RDRAND) of some Intel chipsets, which in turn accesses encryption software. The NSA can not read cryptotexte immediately, but decrypt it with less effort.
More about Heartbleed
Attention: This means the user can protect himself by using software that not only uses RDRAND as a source of random numbers. These are all functions which, for example, collect randomly via mouse or keyboard actions (Truecrypt, for example). If you are not sure, you should increase the password length significantly.
The examples illustrate the fundamental difficulties involved in open-source projects. Transparency of the involved players and the control by a large group of competent competitors replace a defined quality assurance process. However, there is often the lack of necessary security know-how, says Markus Robin from SEC Consult
"Quality assurance does not happen magically, professionals do not make things so easy." The Heartbleed and Truecrypt cases raise questions: What are the testing and control procedures for the development of open source software instead? One solution is provided by companies like Red Hat or Suse. They offer businesses the benefits of open source software along with legally binding guarantees.
Transparency and control
"Security is a process, not a state. Security begins with us where our developers carefully select projects, work with them, and then integrate them into our products after intensive testing", explains Dr. Gerald Pfeifer, Senior Product Management and Operations Director at Suse.
If this process is effectively followed, it is inevitably expensive. Typical closed-source products such as Windows or Flash, with countless patches every month, prove that even expensive products from large companies do not guarantee secure software. Successful open-source projects such as Truecrypt or OpenGPG prove, however, that it is also different.
Possibly, the different forms of open source software development can not be measured at all by commercial standards. "Open source security software is a very popular tool for many people with very different motives. This is 'democratic' and democracy is the best form of politics, even if it is not perfect," says Johannes Buchmann, professor of computer science and mathematics at the department of computer science Of the Technical University of Darmstadt.
No comments:
Post a Comment