Massive OpenSSL Bug 'Heartbleed' Threatens Sensitive Data

For a more detailed analysis of this catastrophic bug, see this update, which went live about 18 hours after Ars published this initial post.

Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.

The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.

"Bugs in single software or library come and go and are fixed by new versions," the researchers who discovered the vulnerability wrote in a blog post published Monday. "However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously."

The researchers, who work at Google and software security firm Codenomicon, said even after vulnerable websites install the OpenSSL patch, they may still remain vulnerable to attacks. The risk stems from the possibility that attackers already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website. Fully recovering from the two-year-long vulnerability may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies. Members of the Tor anonymity project have a brief write-up of the bug here, and a this analysis provides useful technical details.

OpenSSL is by far the Internet's most popular open-source cryptographic library and TLS implementation. It is the default encryption engine for Apache, nginx, which according to Netcraft runs 66 percent of websites. OpenSSL also ships in a wide variety of operating systems and applications, including the Debian Wheezy, Ubuntu, CENTOS, Fedora, OpenBSD, FreeBSD, and OpenSUSE distributions of Linux. The missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension affects OpenSSL 1.0.1 through 1.0.1f.

The bug, which is officially referenced as CVE-2014-0160, makes it possible for attackers to recover up to 64 kilobytes of memory from the server or client computer running a vulnerable OpenSSL version. Nick Sullivan, a systems engineer at CloudFlare, a content delivery network that patched the OpenSSL vulnerability last week, said his company is still evaluating the likelihood that private keys appeared in memory and were recovered by attackers who knew how to exploit the flaw before the disclosure. Based on the results of the assessment, the company may decide to replace its underlying TLS certificate or take other actions, he said.

Attacking from the outside

The researchers who discovered the vulnerability, however, were less optimistic about the risks, saying the bug makes it possible for attackers to surreptitiously bypass virtually all TLS protections and to retrieve sensitive data residing in the memory of computers or servers running OpenSSL-powered software.

"We attacked ourselves from outside, without leaving a trace," they wrote. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

They called on white-hat hackers to set up "honeypots" of vulnerable TLS servers designed to entrap attackers in an attempt to see if the bug is being actively exploited in the wild. The researchers have dubbed the vulnerability Heartbleed because the underlying bug resides in the OpenSSL implementation of the TLS heartbeat extension as described in RFC 6520 of the Internet Engineering Task Force.

The OpenSSL vulnerability is the latest to threaten the HTTPS scheme that's the default and often only method for cryptographically protecting websites, e-mail, an other Internet communications from attacks that allow hackers to eavesdrop on end users or impersonate trusted websites. Last month, developers of the GnuTLS library disclosed an equally catastrophic bug that left hundreds of open-source applications open to similar attacks. And in February, Apple fixed an extremely critical vulnerability in the iOS and OS X operating systems that also made it possible for hackers to bypass HTTPS protections.

Iowa State scientist developing materials, electronics that dissolve when triggered

A medical device, once its job is done, could harmlessly melt away inside a person's body. Or, a military device could collect and send its data and then dissolve away, leaving no trace of an intelligence mission. Or, an environmental sensor could collect climate information, then wash away in the rain. It's a new way of looking at electronics: "You don't expect your cell phone to dissolve someday, right?" said Reza Montazami, an Iowa State University assistant professor of mechanical engineering. "The resistors, capacitors and electronics, you don't expect everything to dissolve in such a manner that there's no trace of it."

But Montazami thinks it can happen and is developing the necessary materials.

He calls the technology "transient materials" or "transient electronics." The materials are special polymers designed to quickly and completely melt away when a trigger is activated. It's a fairly new field of study and Montazami says he's making progress.

The research team he's leading, for example, is developing degradable polymer composite materials that are suitable platforms for electronic components. The team has also built and tested a degradable antenna capable of data transmission.

The team presented some of its research results at the recent meeting of the American Chemical Society in Dallas.

And, a paper describing some of the team's work, "Study of Physically Transient Insulating Materials as a Potential Platform for Transient Electronics and Bioelectronics," has just been published online by the journal Advanced Functional Materials.

The paper focuses on the precise control of the degradation rate of polymer composite materials developed for transient electronics.

Montazami is the lead senior author of the paper. Iowa State co-authors are Nastaran Hashemi, an assistant professor of mechanical engineering; Handan Acar and Simge Cinar, postdoctoral research associates in mechanical engineering; and Mahendra Thunga, a postdoctoral research associate in materials science and engineering and an associate of the U.S. Department of Energy's Ames Laboratory. Michael Kessler, formerly of Iowa State and now professor and director of Washington State University's School of Mechanical and Materials Engineering in Pullman, is also a co-author.

The research has been supported by Montazami's startup funds from Iowa State. He's pursuing grants to support additional projects.

"Investigation of electronic devices based on transient materials (transient electronics) is a new and rarely addressed technology with paramount potentials in both medical and military applications," the researchers wrote in the paper.

To demonstrate that potential, Montazami played a video showing a blue light-emitting diode mounted on a clear polymer composite base with the electrical leads embedded inside. Add a drop of water and the base and wiring begin to melt away. Before long the light goes out and a second drop of water degrades what little is left.

The researchers have developed and tested transient resistors and capacitors. They're working on transient LED and transistor technology, said Montazami, who started the research as a way to connect his background in solid-state physics and materials science with applied work in mechanical engineering.

As the technology develops, Montazami sees more and more potential for the commercial application of transient materials.

Just think, he said, if you lose your credit card, you could send out a signal that causes the card to self-destruct. Or, sensors programmed to degrade over certain times and temperatures could be stored with food. When the sensors degrade and stop sending a signal, that food is no longer fresh. Or, when soldiers are wounded, their electronic devices could be remotely triggered to melt away, securing sensitive military information.

How Google Glass is helping Parkinson's sufferers

Newcastle University is trialling new technology to help patients suffering from Parkinson's disease live more independently by reminding them to swallow, speak up and take their medication

Google Glass is being used by people suffering from Parkinson’s disease in a groundbreaking experiment to see if the technology can help improve their day-to-day lives.

The technology, which is not yet available in Britain, reminds the patients to take their medication, contacts relatives in an emergency and can even prevent debilitating episodes of paralysis – known as ‘freezing.’

The system works like a hands-free smartphone, displaying information on the lens of the Glass. It is voice-operated and linked to the internet.

Doctors at Newcastle University have created a programme that helps control behaviour associated with Parkinson's, such as reminding the individual to speak up or to swallow to prevent drooling.

“The beauty of this research project is we are designing the apps and systems for Glass in collaboration with the users so the resulting applications should exactly meet their needs,” said Dr John Vines of the School of Computing Science

"What was really encouraging from this early study was how well our volunteers took to the wearable technology and the factthat they could see the potential in it."

Parkinson's disease is a progressive neurological condition affecting around 127,000 people in Britain, one in 500.

It effects motor symptoms and can cause the muscles to go rigid, tremor or slow down which affects balance, gait and arm and facial movements.

‘Motor blocks’ affect people's legs during walking causing them to 'freeze'; speech and voice are typically affected in terms of volume and clarity and the automatic swallowing mechanism is switched off so individuals often drool.

PhD student Roisin McNaney, a speech and language therapist, said the big challenge is finding technology that is not only useful to people but is also discreet.

"People with Parkinson's are already coping with so much and one of the main causes of social isolation is the stigma around behaviours such as drooling and tremor which they have no control over.

"The last thing we want is a system of cueing which is so obvious it adds to people's overall embarrassment.”

Ken Booth, 56, from County Durham, who was first diagnosed with Parkinson's in 1991 has been trialling the new system.

"They're just fantastic. The potential for someone with Parkinson's is endless. For me the biggest benefit was confidence. When you freeze your legs stop working but your body carries on moving forward and it's easy to fall.

"Because Glass is connected to the internet you can link it to computers and mobile phones. So if you're alone you just have to look through the Glass and carers, friends or relatives will be able to see exactly where you are and come and get you. Or you just tell it to call someone and it rings them."

Using it as a medication reminder is another of the applications the Newcastle University team is looking at.

"The drugs don't cure Parkinson's, they control it so it's really important to take the medication on time," said Mr Booth.

"I was taking two or three different drugs every two hours, different combinations at different times of the day; some with water, some with food, the instructions are endless. Having a reminder that is literally in your face wherever you are and whatever you are doing would really help.

Lynn Tearse, 46, a retired teacher who was diagnosed with Parkinson's in 2008, added: “eople would probably say you can do all these things on a smartphone but actually, with Parkinson's, negotiating a touch screen is really difficult.

"It's not just the tremor. During a 'down time' when the medication is starting to wear off and you're waiting for the next lot to kick in it can be like trying to do everything wearing a pair of boxing gloves. Your movements are very slow and your body won't do what you want it to."

Miss Tearse said Google Glass could also be hugely helpful to unlock the brain when is 'freezes'.

"No-one really understands why it happens," explains Lynn, "but it happens when the flat surface in front of you breaks up or the space in front of you narrows such as a doorway. Revolving doors are particularly bad.

"Your legs gradually freeze up and the difficulty is getting started again. The brain seems to need a point beyond the blockage to fix on and people use different things.

“This is where Glass could really make a difference."