What is Heartbleed?
On April 7, 2014, it was announced that a computer bug known as “Heartbleed Bug” has been exposing allegedly secure information around the world. Heartbleed Bug, essentially an information leak, is allowing outsiders to gain access to personal information intended to be secure on the internet. The bug has gone undetected since October, 2011.
Security researchers from Google, Inc. and Finnish security firm Codenomicon uncovered the threat in OpenSSL software – one of the most omnipresent software packages in use on the internet. Secure websites – containing “https” in the URL (“S” meaning secure) – make up 56% of websites, and almost half were susceptible to the bug. Theoretically, cybercriminals could take advantage of Heartbleed by making network requests in order to collect sensitive data.
How was Heartbleed Discovered?
Heartbleed was found while the Codenomicon team was improving the SafeGuard feature in their Defensics security testing tools. According to CNN, two-thirds of the web sites and applications that allow for online banking or private communication through e-mail, voice or instant message use OpenSSL to protect your communications. OpenSSL is also used to lock virtual private networks used by employees to connect with corporate networks looking to protect confidential information.
Who was Effected by the Bug?
Popular sites like Google, TurboTax, Facebook, OKCupid, Tumblr, and Yahoo, among countless others, were all effected by the bug. Despite the claim that the sites have taken the necessary steps to purge the threat of the bug, most sites are encouraging users to update their passwords to further ensure the safety of their personal information.
Codenomicon CEO David Chartier says, “Although there is a way to close the security hole, there continue to be reasons for concern. Due to the large number of web servers relying on OpenSSL software, information passing through hundreds of thousands of websites could still be vulnerable, despite the protection offered by encryptions.”
Is Your Website Vulnerable?
At this time, it has been reported that no cyberattackers have utilized this error to obtain personal information from the web, however, proper response steps should be taken to avoid any potential hacks. You should first check which sites have been affected by Heartbleed. While multiple sites have provided lists of the affected URLs, password security firm Lastpass has created a Heartbleed Checker. This program will allow you to enter the URL of any website, check its vulnerability and whether the site has issued a patch.
Changing any passwords protecting sensitive information is important. Now is the time to update passwords for sites that have already issued a patch. Since hackers are currently aware of the flaw in OpenSSL, it is more likely they will attempt to gather personal information from the web (although the chances of your password being acquired and then matched to your username are slim). If sites and services have yet to install a patch, updated passwords will still be susceptible to the bug and attackers. Wait until sites have given the all clear before making any updates. Also, be cautious when using a shared Wi-Fi network. Cybercriminals have prime access to web activity when a network is being shared.
Silver Lining
Although Heartbleed is a detrimental flaw, there is a silver lining. Affected service providers have an opportunity to upgrade security strength. Software updates are often overlooked, but due to the sense of urgency the bug creates, providers will carry out all updates properly and in a timely manner. Heartbleed has been a huge blow to the security community, but knowing that the infrastructure of cybercriminals and their secrets has been exposed will allow us all to move forward with confidence.
Sources:
http://heartbleed.com
http://www.engadget.com/2014/04/12/heartbleed-explained/
http://www.cnn.com/2014/04/09/opinion/wisniewski-heartbleed-bug-endangers-all/index.html?iid=article_sidebar
https://www.npr.org/2014/04/12/302353900/diagnosing-and-treating-the-internets-heartbleed-bug
http://www.npr.org/blogs/alltechconsidered/2014/04/08/300602785/the-security-bug-that-affects-most-of-the-internet-explained
http://mashable.com/2014/04/09/heartbleed-what-to-do/