Heartbleed attacks and Internet security: Prevention is better than cure

heartbleed noticeOur daily data traffic on the Internet has reached dimensions which can hardly be put into numbers. For example, in June 2014, an average of 1.7 Tbit/s of data has been transmitted at the German DE-CIX (the largest Internet exchange point worldwide, situated in Frankfurt). Indeed, numerous transactions related to critical applications such as financial or personal data are conducted. Whether stock market transactions, online shopping or home banking, anyone who carries out such transactions counts implicitly that security, integrity and authenticity are guaranteed at any time.

For years, such processes and methods have been well established on the basis of deploying according technologies which permit to appropriately encrypt and secure data transmissions. Here, the use of SSL has become a quasi-standard.

However, it has also turned out that web server, NAS, gateways and routers, due to an implementation error are vulnerable, as sensitive data can be retrieved without being able to detect the spying of data as an attack. Furthermore, particularly worrying is that a variety of services which protect their data, typically via SSL/TLS, are affected. This also includes e-mails (POPS, IMAPS, SMTP with STARTTLS).

Anatomy of a “heart defect

 By looking closely at the problem, one realizes that the actual error is comparatively simple. In order to maintain a communication, so-called heart beats will be sent out between the communicating partners. In this process the sender transmits data (payload) to the receiver who in return sends the data back.

The problem, however, results from the fact that the receiver does not verify how much data has actually been sent. This means, if the sender “lies” and actually only sends one single byte but claims to send 16 Kbyte, the receiver responds willingly by sending back data from its random access memory. This results in phishing the random access memory of the remote station by the attacker.

If someone uses this procedure systematically and with high computing power, large quantities of credit card information and passwords can be gathered and spied upon. Furthermore, it was possible to get to the innermost part of servers in order to spy out the private key. The consequence would be that perfect imitations of servers can be placed on the Internet and the users won’t notice because they won’t get a warning message of faked certificates.

Is it possible for your data security to recover from a “heart attack”?

Users and people affected are in a rather uncertain situation. Concerning the systems to which we have access, we have to explore as soon as possible whether a serious threat exists. This can be carried out in cooperation with the corresponding manufacturer.

If this is the case, appropriate measures have to be taken quickly in order to update the affected systems. In this context, it is also advisable to replace the digital certificates and to declare already existing certificates as invalid, although this may “only” be a precaution. For services to which we do not have access, we have to rely on the respective service provider to ensure security as soon as possible. It only makes sense to change passwords, after the provider has renewed certificates.

Take security preventive measures

The use of Open Source and especially in this case of OpenSSL, shows how a fundamental and critical infrastructure on the Internet can crumble overnight.

When you look behind the scenes and see how many software engineers actually work full-time on the maintenance and development, it is indeed thought-provoking.

As a manufacturer, we also ask ourselves the question, which is the correct way into the future?.

In none of Teldat´s products are the software components mentioned above deployed. Nevertheless, we see it as part of our responsibility, towards our partners and clients, to keep developing our products continually and even more intensively.

AUTHOR: Bernd Büttner

Bernd Buettner: