We have already read so many articles on Heartbleed, one of the biggest iNternet threat that recently came across by a team of security engineers at Codenomicon, while improving the SafeGuard feature in Codenomicon's Defensics security testing tools. 

The story has taken every media attention across the World, as the bug opened doors for the cyber criminals to extract sensitive data from the server's memory and almost every major site have been affected by it.

UNINTENTIONAL BIRTH OF HEARTBLEED
More than two years ago, German programmer Robin Seggelmann introduced a new feature called "Heartbeat" in the most secured open source encryption protocol, OpenSSL, which is used by several social networks, search engines, banks and other websites to enable secure connections while transmitting data. But introducing heartbeat feature cost him dearly, as here the most critical bug resides.

Dr. Seggelmann allegedly was just trying to improve OpenSSL and working on an update and while submitting the updates enabling heartbeat feature, an “oversight” led to an error that unintentionally created the “Heartbleed” vulnerability, according to The Guardian.

Heartbleed is the encryption flaw that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Internet open for hackers, forcing some security researchers to warn internet users against using even their everyday sites for the next few days until the problem is fully solved.
Robin Seggelmann heartbleed
Robin Seggelmann
The developer is responsible for what may be the biggest Internet vulnerability in recent history, but it was just a single programming error in the new feature as he didn't notice the missing validation and unfortunately the same skipped by the code reviewer as well before introducing it in the new released version.

"I am responsible for the error," Robin Seggelmann told Guardian, "because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version."

Robin Seggelmann submitted the code of OpenSSL with the heartbeat feature in an update on New Year's Eve, 2011. This means the most critical threat has been around for more than two years unnoticed.

NSA - A GAME CHANGER OR NOT?
Dr Seggelmann said it was obvious to assume that the bug was intentionally inserted, especially after various revelations by Edward Snowden of the surveillance activities carried out by the US National Security Agency (NSA) and other countries intelligence agencies.

"But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he said. "It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."

Despite denying the code he put intentionally, he said it could be entirely possible that the government intelligence agencies had been making use of this critical flaw over the past two years.

"It is a possibility, and it's always better to assume the worst than best case in security matters, but since I didn't know [about] the bug until it was released and [I am] not affiliated with any agency, I can only speculate," he told The Sydney Morning Herald.

Post a Comment

 
Top