CYBERSPACE — The “Heartbleed” security bug has been widely patched across the internet, and the panic that accompanied the public disclosure of the flaw is now winding down. Efforts to discover the individual or individuals responsible for the mess, however, are just getting started.
The Heartbleed security flaw exploited a weakness in OpenSSL system’s “Heartbeat Request” function, where the link between a server and a computer sharing a secure connection is tested by the transmission of a request packet. The packet contains a tiny amount of information from the computer that is supposed to be answered by the server by sending that same information back to the source of the query.
The Heartbleed bug was exploited by hackers sending a malformed heartbeat request with a small data payload and an inappropriately large length field to the server. The server randomly filled in the blank field with random data from its recently discarded SSL memory.
While attackers would have no control over what data was sent back, they could fish for sensitive data, including server’s private master key and well as user’s passwords, cookies and other compromising data.
Conspiracy theories implicating the NSA in the Heartbleed fiasco continue to be batted about. Some say that the flaw was introduced into OpenSSL at their direction, while others allege the NSA was aware of this vulnerability for some time and withheld the information lest it curtail their intelligence-gathering activities.
The US government denies involvement in the Heartbleed flaw and also denies that it used the bug as a tool to obtain sensitive data. Documents released via the Edward Snowden leaks show that the agency was working on cracking SSL via a program they had dubbed BULLRUN.
A German software developer, Dr. Robin Seggalmann, who as it turns out was the individual who introduced the errant code, has stepped forward to take responsibility for the mistake, which was added to OpenSSL over two years ago as part of a project to fix bugs and add features to the existing software code. The small error missed validation of message length, an error also missed by another OpenSSL programmer named Dr. Steven Henson.
