You may have recently heard about a security threat on the internet being identified as the “HeartBleed” bug. There has been a lot of debate and confusion surrounding exactly what the impact of this vulnerability can/will be. The purpose of this post is to explain the vulnerability in terms of what this means to you; the computer user.
“HeartBleed” is the declared name of a vulnerability in an open-source methodology used for Open-SSL cryptography. A lot of products and internet services use Open-SSL technology.
In simple terms, the technology behind SSL certificates allows for an “encrypted” communication to exist between a site/server and a visitor. It is a trusted technology that a visitor would automatically be using while banking or buying something online. Since most communications travel on publicly exposed wire or wireless technologies, an “eavesdropper” that intercepted the communication couldn’t read it since it was encrypted. Among other things, the “HeartBleed” bug allows an attacker to “read” information that is being passed.
On April 7th, 2014, the bug was publicly disclosed. Very large and popular sites like Facebook, Yahoo, Gmail, Flickr were discovered to be at risk. It was estimated at the time that more than 500,000 web sites around the internet are/were impacted. On that same date, an updated version of OpenSSL was released to resolve the problem. As of this past weekend, many of the affected sites have fixed their own implementations.
Of the exposed “data”, the most obvious risk is to passwords. The fear is that an attacker could have been collecting passwords for some time now. Here is a quick list of some popular sites that you should change passwords as soon as possible:
- Tumblr
- Yahoo
- Gmail
- Amazon Web Services
- Dropbox
- SoundCloud
A partial list of affected popular online sites can be reviewed here http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/. It is best to check the statement of the website/product for up-to-date information relative to the bug and their fixes for the problem. Unfortunately, it serves little purpose to change a password on a site that has not yet been “fixed”.
While there are no indications that the vulnerability was known to hackers or exploited prior to the public disclosure, there is no guarantee that data was not compromised. To this end, it is important to point out that password security is critical as the first line of defense. Over the coming days, we intend on rehashing recommendations about password security. The most obvious are to use strong passwords and not to share passwords between sites.
NOTE: Windows PCs natively are not affected by this bug other than for online services (like the ones mentioned above). Apple iOS devices don’t appear to be affected either, however there are some conflicting reports about Apple OSx (computer OS) devices with certain services installed.
OSG: Bits, Bytes and Packets 