What is the Heartbleed Bug?
Credit: Opensource

If you have any knowledge of how messages are transmitted across the internet, you are probably amazed that anything ever arrives at the right place all in one piece. At the same time, you probably have a gut wrenching feeling that nothing is truly safe or secure on the net. In fact, I am beginning to think it is impossible to completely secure it.

As more and more retailers and banks try to get us to do our business online, the thought of all of your personal and credit card data being swiped as it is sent is not comforting.

The latest issue is something called the Heartbleed bug. It exploits a vulnerability in the OpenSSL program that is used to encrypt all of our data we send online. However, the potential headaches this latest one will cause is much more serious than having passwords stolen.[2]  No one in the tech world knows who has the keys and certificates to the kingdom right now.

The bug works by allowing access to data from a server’s memory. And all it takes is a simple script available online for hackers to exploit any website that uses the free OpenSSL system of authentication. This allows a hacker to go in and scrape the data to reconstruct usernames, passwords and  all of the traffic going across that server.

Whether you realize it or not, you have dealt with OpenSSL if you have used a banking website or any site that where a financial transaction takes place. Usually an encrypted site will have a green padlock icon in the address bar followed by https. The “s” at the end signifies that your What is the Heartbleed Bug?Credit: Opensourcedata is encrypted. Feel better now?

The vulnerability was discovered last week by Google and a security company called Codenomicon.[2]

It exploits a programming error within the SSL code that has been out for some time now. Internet experts suggest the bug has been around since 2012 but is just now working its way into the system to cause problems which allowed it to be discovered. Since almost 2/3 of the servers on the internet use OpenSSL, there is no simple fix.

Yesterday, Tumblr was the latest site to announce they are dealing with issues caused by the bug and urged users to change their password.[1]

Not surprisingly, Yahoo, which owns Tumblr, is suffering also, so if you use Yahoo Mail, you might want to change your password right now.

Then again, some security experts suggest that you wait until websites give the all clear because if the issue has not been resolved, hackers could steal your new password again. Sometimes sites like Yahoo force you to change your password if they suspect a major intrusion as they did earlier this year, however I have received no such prompting as of yet.

I have a Yahoo personal email account and they seem to be having more security issues than other providers such as Google or Hotmail. However, with Google, your data might be more secure, but it is far from private.  I am starting to migrate more and more to my Comcast email address. They spy too, but since they are my internet provider, they already know everything about my surfing habits anyway.

A patch to fix the vulnerability within OpenSLL has already been pushed out through updates, however there is more work to be done by each company on their website to fully implement the patch.

For now, what should you do?

Security experts are actually recommending that you not login into any sensitive site that may have been affected for the next few days. If you are thinking your password protected wireless home network protects your information, you are missing the point. Yes, it keeps people out of your network, however, when you send login information out across the net, it enters the wild west. That is why this latest bug is rocking the tech world. Previously that data was thought to be secure through the encryption process, but because of the reasons already discussed, it has the capability to be compromised if you send it to a website that has not addressed the vulnerability. Cisco and Juniper servers have been hit particularly hard by the bug and they are working on fixing around the clock. However, the software within home routers appears to have not been affected by the bug.

Before you rush out and change passwords, make sure the site has given the all clear or it is possible that your new password would be stolen again in the same way.

However, according to CNN, you should change the passwords for the following sites immediately because they were recently patched.[1]

  • Google, YouTube and Gmail
  • Facebook
  • Yahoo, Yahoo Mail, Tumblr, Flickr
  • OKCupid
  • Wikipedia

If you have any doubts about any other websites you use, you can find Domain verification sites online which will test the Domain name in question and let you know if it is still vulnerable or if a patch has been issued.

Once the site displays an update about the status of the vulnerability, start with financial and data sensitive sites like banking, then email accounts. Unfortunately a lot of companies are not saying whether their data was exposed fearing customer backlash similar to what Target experienced last year when news of customer data exposure came to light. 

If a website offers a two-step authentication process, enable that option. This typically involves a website sending you a code in the form of a text message to enter  into your cell phone.


What is the Heartbleed Bug?
Credit: Opensource

Although a fix for this latest issue is out, the larger question is how much damage has been done. No one will know for months or years to come. People are not robbing banks any more. That is not where the real money is at. Information is the new currency and instead of stealing thousands of dollars from banks, vulnerabilities like this have the potential for millions, even billions in monetary losses, not to mention the psychological damage it does to people banking or shopping online.

There are better technologies out there for encryption including one called Perfect Forward Secrecy which more and more companies have been implementing, albeit slowly. This encryption method has one key difference from OpenSSL in that the keys used to encrypt expire after a certain period of time, then are reassigned. I suspect after this latest vulnerability, they will step up the pace to implement it.

Heartbleed Update