What is the Heartbleed Bug?
Unless you’ve been living under a rock, then you’ve probably heard of the Heartbleed bug and the threat it poses to online security. On April 7, 2014, security researchers announced that a major vulnerability had been discovered in the popular OpenSSL cryptographic software library. The bug was reportedly discovered by Neel Mehta, a member of Google’s security team, and a software security firm known as Codenomicon.
This flaw in the OpenSSL encryption software left highly sensitive data, which under normal conditions would have been protected by the SSL/TLS encryption used to secure flow of data across Internet, exposed to hackers.
Hackers who were aware of this vulnerability had the ability to extract massive amounts of sensitive data from the websites and services people use every day, such as social networks, emails, online stores, government websites, and online banks. Sensitive data includes usernames, passwords, emails, instant messages, credit card numbers, and social security numbers.
Bruce Schneier, the cryptography expert who has been writing about security issues on his blog since 2004, calls Heartbleed “catastrophic”. On a scale of 1 to 10, he has given the Heartbleed bug an “11”. “Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory—SSL private keys, user keys, anything—is vulnerable. And you have to assume that it is all compromised,” states Schneier on his blog.
The main source of OpenSSL’s vulnerability is a flaw in its encryption. Encryption is the process of encoding confidential messages or information so that only authorized parties can read it. Using an encryption key, information sent from a user’s computer to a recipient, whether it’s another person or a web server, is rendered into an incomprehensible ciphertext. Authorized parties, on the other hand, can decode the ciphertext using a decryption algorithm, which usually requires a decryption key.
The Internet utilizes a standard set of protocols to handle security; these are commonly referred to as Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS). Open- source tools known as OpenSSL are designed to provide SSL/TLS functionality to websites and apps. OpenSSL is free and is designed to work with various operating systems, and can even be used by network routers and printers.
Heartbleed is particularly lethal because the OpenSSL flaw not only gives hackers the ability to obtain sensitive data without leaving a trace, but also enables them to steal the keys that keep encrypted communications safe. Most hair-raising of all, Heartbleed has been around since at least December 2011, and many software packages began using the flawed version of OpenSSL in May 2012. This means that the error has been open to mass exploitation for more than 2 years.
What websites and services were affected?
Fortunately, many popular websites and services that were vulnerable to the bug have updated their servers with security patches. This should counter the threat Heartbleed poses. Users are advised to change their passwords to secure their accounts—but only after official announcements about security updates have been made by the websites or services they patronize. Once they’ve confirmed that the website or service has installed a security update, users can go ahead and change their passwords.
Many (though not all) of the major companies have issued updates. Social networks like Facebook and Tumblr have updated their servers with security patches, though it remains unclear whether Facebook was affected by the bug. Users of both Facebook and Tumblr are advised to change their passwords.
LinkedIn was apparently not affected and did not issue a security patch. According to LinkedIn, they “didn’t use the offending implementation of OpenSSL in www.linkedin.com or www.slideshare.net. As a result, HeartBleed does not present a risk to these web properties.” However, it remains unclear if Twitter was affected by the bug, and the company has issued no statements about security updates, and has not asked users to change their passwords.
Google and Yahoo were rendered vulnerable by Heartbleed, and both companies have updated their servers with security patches. Google representatives state that they have “assessed the SSL vulnerability and applied patches to key Google services.” Yahoo has already patched Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, and Flickr, among other sites. Both Yahoo and Google advise their users to change their passwords. Other big tech companies like Microsoft and Amazon were not affected.
As for email services, both AOL and Hotmail/Outlook were not affected. While both Gmail and Yahoo Mail were affected, both email services have updated their servers with security patches and have asked their users to change their passwords.
The following banks and brokerages were unaffected: Bank of America, Chase, Scottrade, PNC, Fidelity, TD Bank, and Wells Fargo. These companies were unaffected by Heartbleed as multiple layers of security were enforced to protect their websites and services, and many of these companies did not use the affected version of OpenSSL.
How can you protect yourself?
Aside from changing their passwords, email users are also advised to use reliable secondary email addresses, update their account settings with their mobile numbers to receive login verification through an automated SMS or phone call, double-check filters and forwarding addresses, and reinforce their email security with stronger security questions.
We strongly advise our online marketing and web design resellers to communicate these security measures to their clients.