Internet Security sleepless Night: "Heart bleeding", ripple net silver electric Dealer

Last night (April 8) was the sleepless nights for hackers and white hats. Some of them are partying, one by one into the heavily guarded website, patiently collect leaked data, put together the user's plaintext password, and some are hard to upgrade the system, statistical vulnerability information, but also ready to convince the customer's rhetoric, so that they realize the seriousness of the problem; and of course, Uncle Miao is so busy not too big, desperate to fill safety common sense, Looking for expert interviews, trying to record this historic night.

This night, the Internet portal is open.

Basic security protocol "heart Bleed"

Beijing knows the cosine of the company in the computer screen before the sleepless night. As a high-speed development of the Security Enterprise Research Department Director, cosine in the domestic hacker circle seniority. He briefed Uncle Miao on the origins of the incident. The vulnerability was discovered by security company Codenomicon and Google security engineers and submitted to the relevant authorities, which soon released a bug fix. On April 7, programmer Sean Cassidy A detailed description of the vulnerability mechanism on his blog.

He disclosed that there was a vulnerability in OpenSSL's source code that would allow an attacker to obtain data content in 64K of memory on the server. This part of the data may contain data such as security certificates, user names and passwords, chat tool messages, e-mail messages, and important business documents.

OpenSSL is currently the most widely used secure transmission method on the Internet (SSL is the full Set layer protocol). It can be approximated to say that it is the largest sales lock on the Internet. And Sean broke the loophole, so that a specific version of the OpenSSL can be opened without a key to open the scrap lock, the intruder each time rake the head of the 64K information, as long as there is enough patience and time, he can rake enough data, pieced together the head of the bank password, letters and other sensitive data; If the head of the household is unlucky to be a store-opening or bank-owner, the most sensitive personal data of the user who buys and saves money here may be acquired by the intruder.

A security industry insider disclosed that he had tried to read the data on a famous electric dealer's website, and after reading 200 times, he had obtained more than 40 user names and 7 passwords, using which he successfully logged into the site.

The researchers gave the loophole an image name: Heartbleed, Heart bleeding. This night, the Internet's security core began to drip blood.

China has at least 30,000 machines "diseased"

Some security researchers believe the vulnerability may not be as significant because the OpenSSL 1.01-series version, which is affected by the vulnerability, is not widely deployed on the Internet.

The senior security workers in China, the chief architect of the Tian ' an laboratory, and Jianghai customers disagree. He warned on Weibo: "This time, the wolf really came."

Cosine to the problem of a precise quantitative analysis. In the sleepless nights of April 8, he was more focused on scanning the Zoomeye system, in addition to tracking the latest developments in real time on Twitter and in various forums. According to the system scan, there are 1601250 machines throughout China using 443 ports, of which 33,303 are affected by this OpenSSL vulnerability!443 port is only a common port of OpenSSL for encrypted Web access, and other services such as mail, instant messaging and other ports used, Due to the time relationship, yet to be scanned.

Zoomeye is a security analysis system, its work is similar to Google, will continue to crawl the global Internet servers, and record the hardware configuration of the server, software environment and other indicators, generate fingerprints, regular contrast, to determine whether there is a vulnerability or intrusion of the server. In this "heart bleed" flaw detection, cosine to the system followed by a "physical examination" system, filtering out the use of problems OpenSSL server, you can get the security risks of the server scale.

From the system "physical examination" results, more alarming than 30,000 problem servers, is the distribution of these servers: some of them in the Bank network banking system, some are deployed in third-party payments, and some in the large electric business site, and some in the mailbox, instant messaging system.

Hackers and security experts from around the world have been competing since the leak was burst. The former is constantly testing various types of servers, trying to crawl from the vulnerability to the maximum number of user-sensitive data, the latter is racing against the clock to upgrade the system, to make up for loopholes, it is too late to implement the temporary closure of some services. This, cosine says, is the most dangerous place at the moment: Hackers are already on the move, and some companies are still sleeping. And if the hacker invades the server, the damage is far more than one individual, but also includes a large number of user-sensitive data stored in the corporate database. Even more troubling, this loophole actually appeared in 2012, so far more than two years, who does not know whether the hacker has exploited the user data, and because the vulnerability will not leave traces in the server log, so there is no way to confirm which servers have been invaded, can not locate the loss, Confirm the leaking information and notify the user of the remedy.

The answer to the problem and the new problem

At present, Zoomeye is still continuously to the global server "Physical examination", this process takes about 20 hours. By contrast, it takes only about 22 minutes for a domestic server to undergo a physical checkup, and a 30,000 + "sick" server that repeats a medical checkup for only two minutes. Currently, cosine has submitted the list to CNCERT/CC (National Internet Emergency Response Centre), which carries out national early warning. However, in addition to mobile, unicom and other such large enterprises, Cncert also did not force to ensure that other companies see the warning content, the end may still need to continue to expose some "sick" servers, so as to force the relevant companies to pay attention to the loophole.

And during the patch, ordinary consumers and companies should take relevant measures to avoid risk. For ordinary users, Cosine recommends that you do not use internet banking, electronic payments, and dealer shopping to avoid user passwords being captured by hackers who have been exploited. A bank friend told me that it would take two days for them to make up the loophole. These two days we had better not login net silver, confirm security and then log on. If you've already logged in, consider changing your password. ”

And the user's passive risk aversion, the relevant Internet enterprises should be the initiative to upgrade as soon as possible. Upgrade to the latest OpenSSL version, you can eliminate this vulnerability, which is currently the most convenient way for enterprises. After the upgrade, however, you should theoretically notify the user to replace the security certificate (because the vulnerability exists, the certificate's key may have been compromised), and notify the user to modify the password as much as possible. After these two measures, enterprises will face a great price, and only through the media as far as possible to expose, so that aware users to download the certificate and modify the password themselves.

Because of "heart haemorrhage" the flaw widespread and the concealment, in the next few days may also have the question to burst out successively. In the rapid development of the Internet today, some of the protocol level, the emergence of infrastructure-level vulnerabilities, may be to discourage people to use the Internet confidence, but objectively also make the problem timely exposure, in the event of greater losses in time to be made up. As individuals in the body, it may be more responsible to take the initiative and strengthen self-protection than to entrust security and the future.