The Heartbleed Bug – What You Need to Know Now

HeartbleedOne week ago, it was announced that a new security threat had been discovered on the Internet, one that has affected many of the most commonly used sites such as Facebook and Instrgram. This threat, known as the Heartbleed bug, was discovered by a member of Google’s security team and researchers from a company called Codenomicon which subsequently named and publicized the bug in order to prompt affected sites to apply the needed fixes.

Not surprisingly, there was a lot of immediate confusion, hysteria and misinformation making the rounds. Now that the dust has settled a little, here is what you as an Internet user still need to know in order to keep your information safe.

What is Heartbleed?

First, Heartbleed is not a virus. It’s a software bug in a certain type of software used by websites to encrypt Internet traffic. This software, known as SSL (Secure Socket Layer) software, kicks in on the web server when you type in a URL that starts with HTTPS instead of HTTP. In other words, the software is on the remote web server, not your machine.

The bug has been in circulation since March 2012. The particular brand of SSL software in question, OpenSSL, is open source, meaning that its source code is freely available and it is developed collaboratively by independent programmers. A fix for the bug was released on April 7, 2014, the same day the bug was announced.

The Heartbleed bug is so named because it was found in a software extension called the Heartbeat extension which simplifies the process of maintaining secure communication links over the Internet. In computing, machines that are linked to each other exchange periodic signals known as heartbeats to verify the integrity of the link. The Heartbleed bug allows up to 64 KB of data in memory to be leaked to a hacker with every system heartbeat, thus the name Heartbleed.

Hackers exploit the bug by sending a special heartbeat signal to the web server requesting back a larger amount of data than the heartbeat contains. The bug in the Heartbeat extension responds by sending information contained in the web server’s memory which includes the server’s encryption keys. The hacker can then use this information to get other information still remaining in the server’s memory which could include Social Security Numbers and login information entered by previous users.

How serious is it?

Very serious; ‘catastrophic‘ in the words of the Electronic Frontier Foundation. The OpenSSL software is very popular and this bug could potentially affect hundreds of thousands of sites, including many popular social media and recreational sites. With the free flow of personal data around the Internet today, this could put many people’s information at risk.

Who’s affected?

Mashable.com published and is maintaining a short list of affected sites and their status. Some of the popular sites included are:

Wikipedia (and related sites)
Facebook
Twitter
LinkedIn
PInterest
Google

Notably, many banks and government agencies are not affected since they are less likely to rely on open source software for their secure operations. Canada’s Revenue Agency was affected, however, and had to extend their tax deadline and notify people who’s data had been compromised.

Again, the fix for the bug must be performed by the sites running the affected web servers. The only action to be taken by individual users to to change their password after the software patch is applied by the affected site. Changing the password prior to the fix will not help and might even create more problems because hackers are still able to access the data.

What you need to do …

First, check the Mashable list for updates as to which sites are affected and whether the fix has been applied.

Second, change your passwords for the sites after they have been fixed.

  • Use strong passwords – at least 6 characters with a mix of letters, numbers and capitalization.
  • Avoid using the same passwords for different sites, especially banking and other critical sites.
  • Keep your passwords in a secure area. I generally do NOT allow my browser software to memorize passwords for any sites.
  • Hackers and scammers will almost certainly try to capitalize on this. Do NOT use links in e-mails asking you to change your passwords for specific sites. Go directly to the site in question and use their tools to change your passwords appropriately.
  • Before entering your personal information into any site, make sure the site is secure and verify if it has addressed the Heartbleed vulnerability. This bug is sufficiently serious that any website using OpenSSL software has a responsibility to apply the needed fixes. If they don’t, their users need to start looking for alternatives.

All the usual common sense precautions also still apply. For more information, see my article Staying Safe on the Web.

Official site and other sources:

Heartbleed.com

Wikipedia article

Forbes.com – Massive Internet Security Vulnerability – Here’s What You Need To Do

Mashable.com – The Password You Need to Change Right Now

PCWorld – Critical OpenSSL ‘Heartbleed’ bug puts encrypted communications at risk