There’s a new game in town
Mini ‘how-to’ Bluetooth/Wifi combo for Raspberry PI
Stick’em with the pointy end
Virtual and not so Virtual Space
Be Still my Bleeding Heart …
The Never-ending Privacy Battle
The Many Sides of Bitcoin
Cyber Jihadists
Hacker Gangs
The New Old War
The Sacred Executioner
Scripting Aphrodites
There’s a new game in town My first foray into role playing games (RPGs) wasn’t actually an RPG at all. Rather, it was a computer based word puzzle, “The Colossal Cave” aka “Adventure.” I stumbled upon this game during a computer job back in the late 1970s. The game was written in Basic and ran on a PDP-11. I spent hours […]
Read the Full Story
Mini ‘how-to’ Bluetooth/Wifi combo for Raspberry PI I recently purchased the Cirago USB Bluetooth/Wifi combo to use with my raspberry pi. All things considered, I am quite pleased. Being reasonably versed in google-fu, helped, of course. Since I want the freedom to do some mobile tinkering, I need to access the pi sans a lan. That, and my latest wild hair project […]
Read the Full Story
Stick’em with the pointy end Since I have been spending a great deal of my time playing in the field of 3D design and printing, I have only recently stumbled upon, and had time to read, “Privacy for Me and Not for Thee,” penned by Catherine A. Fitzpatrick, a human rights activist whom I first encountered in the virtual world […]
Read the Full Story
Virtual and not so Virtual Space Not long ago, someone asked if I liked 3D printing better than virtual worlds. The short answer is, equally but differently.
Read the Full Story
Be Still my Bleeding Heart … “Secure web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver […]
Read the Full Story
The Never-ending Privacy Battle This brings me back to the Hundredpercent American. To some extent he is a pet of mine. I have always rather liked him, because he has some promising qualities. For instance, he has enormous hospitality. I used to feel personally complimented by the amazing warm-hearted hospitality showered on me by Americans. […] When I realized […]
Read the Full Story
The Many Sides of Bitcoin Pariah, darling, or somewhere in between. Bitcoin has continued to linger in the daily media spotlight since the shuttering of darknet’s black-market drug bazaar, Silk Road, and the subsequent announcement of the arrest of its alleged owner, Ross William Ulbricht (aka DPR), on October 2, 2013. Media mavens have long cast bitcoin as a sort […]
Read the Full Story
Cyber Jihadists “We’re facing a very great threat of loosely-coupled, organizational networks that increasingly rely on IT infrastructure to coordinate their movements and recruit young disenfranchised, apathetic guys as suicidal pawns in a sophisticated, dispersed movement. (…)” (AHM, Usenet, September 21, 2001)
Read the Full Story
Hacker Gangs Meet Jim Script Kiddie (skiddie). He is the guy (usually in his early to mid teens) who comes into a hacker forum, asking inane questions like, “how can I be a hacker?” He also tends to over-indulge in “hacker speak” making him look pretty much like a moron to seasoned (and not so) computer netizens.
Read the Full Story
The New Old War In 1956, FBI Director, J. Edgar Hoover initiated a program, code-named COINTELPRO (counter intelligence program) ushering in what would become the mainstay for how intelligence communities dealt with domesitic affairs. The sole directive of this program was “to expose, disrupt, misdirect, discredit, or otherwise neutralize” the activities of various dissidents and their leaders.
Read the Full Story
The Sacred Executioner In his book, “The Sacred Executioner,” Hyam Maccoby notes: “A figure in mythology that has received little attention is that of the Sacred Executioner. […] By taking the blame for the slaying, he is performing a great service to society, for not only does he perform the deed, but he takes upon himself the blame […]
Read the Full Story
Scripting Aphrodites On Wednesday, April 13, 2006, 10-year-old Jamie Rose Bolin was reported missing by her father. Investigators thought she may have been abducted by someone she met online. Oklahoma law enforcement suspected her abductor might be heading just across the border to Texas and requested Texas issue an Amber alert.
Read the Full Story
image There’s a new game in town
image Mini ‘how-to’ Bluetooth/Wifi combo for Raspberry PI
image Stick’em with the pointy end
image Virtual and not so Virtual Space
image Be Still my Bleeding Heart …
image The Never-ending Privacy Battle
image The Many Sides of Bitcoin
image Cyber Jihadists
image Hacker Gangs
image The New Old War
image The Sacred Executioner
image Scripting Aphrodites

Be Still my Bleeding Heart …

Friday, 11 April 2014 02:47 Written by xɐɥɹʌ 2 Comments

Secure web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police.” — Dr. Eugene Spafford, (Web Security & Commerce, p9, O’Reilly, 1997, S. Garfinkel & G. Spafford)

The aptly named Heartbleed bug has become the talk of the town in the mainstream media. It had to happen at some point. After all, people were growing bored with bitcoin news which seemed to have settled into a stream of scam reports, evangelicals claiming it is the new gold rush and skeptics claiming it is nothing more than redux.

While the Heartbleed bug was originally reported on December 3, 2013, it was a website by the same name, created on April 5, 2014, that finally ushered it into the media spotlight.

So, what exactly, is Heartbleed, and why do (or should) we care? To better understand the situation as well as the potential impact, a short history walk is in order.

In February of 2012, a request for comment (RFC 6520) was proposed for providing a means to allow the use of keep-alive functionality within the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols. This proposal was called the “Heartbeat” extension. It was within this extension that the Heartbleed bug was found.

And what is this bug?

In basic terms, the “Heartbeat” extension returns the number of bytes (payload) as requested by the client, without first determining if the payload exceeds the actual number of bytes sent by the client. If the number of bytes exceed the client request, the result extends past the buffer boundary, thereby sending data residing at that boundary, back to the client.

So, for example, the client sends a heartbeat request containing 2 bytes of data, while claiming the message payload is 65536 bytes. The heartbeat extension would then return the 65536 bytes of data, as opposed to the initial two bytes, thereby responding with data that could be anything from pure gibberish, to customer data, such as usernames/passwords, credit card information, private messages, email correspondence, or in some cases, the server’s private SSL key. It really depends upon what resides in the memory at the breached buffer boundary, as well as the server’s primary function (i.e., a subscription news service, email service provider, social networking site, ecommerce site, bank, etcetera).

Sidenote: for the tldr; crowd, here’s an xkcd cartoon that demonstrates how this bug can be exploited.

While this bug has existed for a little over two years, the likelihood that consumer data (or even a server’s private keys, for that matter), was compromised is arguably quite negligible. Negligible, is, of course, relative. Even if only 1% of the servers containing the bug were compromised, that would still mean that we’re looking at approximately 5K potentially compromised servers (based upon reports that more than half a million sites have been affected by this bug). Out of these proposed 5K compromised servers, the probability that the server returned relevant data (i.e., private user data and/or private server keys) is, again, arguably negligible. This is due to the fact that thousands of heartbeat requests would be required to return even a minuscule amount of relevant data. That, and the relevant data would have to be sorted from the gibberish that was returned.

This is not to suggest that it cannot be done. However prior to the notification of this bug the likelihood that this bug was being exploited is miniscule. This has now changed. The probability of risk of data loss increases exponentially now that the information regarding this bug has been widely disseminated. That is, for those sites who have yet to patch their servers with the since released OpenSSL update as well as updating their SSL keys.

And this is what has people up in a dander. Various security pundits are urging users to change their passwords as other parties scour and list vulnerable sites. And yet others are alleging the bug was deliberate. Highly doubtful on that last bit. Memory leaks in code can and do occur. Unfortunately, all too often. And code reviews will not necessarily catch them. As proven in this case.

While it is still too soon to know the damage wreaked by this particular bug, this too, shall pass. Though, it will doubtfully go quietly into the night. Rest assured however, another bug will come along that will make this one look benign. The future bug will likely involve a massive data breach within the cloud space. Why? Because, although the cloud is convenient, it is just begging to be hacked. Data is, after all, the new gold. And solid security protocols require much, much more than sound code impls and hardened firewalls.

They require support personnel who do not divulge user data during customer calls, IT admins who do not hand out passwords just because a user claims they lost theirs, office workers who do not lose laptops or usb drives containing sensitive customer data, while on business trips, employees who do not visit pr0n sites and/or download attachments, while at work, resulting in internally infected networks. And, last but certainly not least, it requires end users who have taken the time to educate themselves with regard to practicing their own security protocols.

Sound security protocols are, of course, moot, in the case of this particular bug. That is, from the user standpoint. As for the companies? They’ve been handing out our data for years. Freemiums after all must be paid for by someone. Nevertheless, and as it stands today, hackers do not require bleeding hearts to get at user data. And just perhaps, after a few more serious data breaches, or arguably, as in this case, data breach scares, people just might get a clue or two or ten with regard to how truly insecure their data actually is. That, or they’ll get lulled back into their false sense of security as the specter of this particular bug becomes a distant memory.

This entry was posted on Friday, April 11th, 2014 at 2:47 am and is filed under Bits-n-Bytes, Bugs, Hacks-n-Cracks, Showcase. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.