Monthly Archives: April 2014

Heartbleed: What It Is And How To Avoid It

Recently an emergency security advisory from the OpeSSL project was issued warning about a bug known as “Heartbleed” which revealed an encryption flaw that was quickly labeled as one of the biggest security threats the Internet has ever seen — despite the fact that the National Security Agency (NSA) has known about and allegedly exploited it since it was discovered (link: http://rt.com/usa/nsa-knew-heartbleed-hacking-years-004/) — that has affected an unknown number of popular websites and services, many of which you might use everyday like Gmail and Facebook. Visiting the breached sites may have quietly exposed your passwords and credit card numbers to those exploiting the vulnerability over the past two years.

The “Heartbleed” label sounds a little melodramatic, and was originally reported as having the potential to live up to the hype. The bug was reportedly named by an engineer at Codenomicon, a Cyber-security company with offices in Finland and Silicon Valley. Heartbleed was discovered separately and simultaneously by Google security researchers and engineers at Codenomicon. Both teams found that OpenSSL, an open-sourced security encryption program used by an estimated 66% of Internet servers, contained a flaw that allows any hacker using a simple script to gain access to treasure troves of personal information on those affected servers.

OpenSSL contains an extension called Heartbeat, which, when affected by the bug, bleeds out the important information from the memory. By running the exploit, a hacker could download countless emails, passwords, user IDs and loads of other personal information in a matter of seconds. An updated version of OpenSSL has been released so sites can use it to fix the bug, but in addition to updating OpenSSL, affected sites will need to update other pieces of their security protocols known as keys and certificates used to help them confirm the identity of their users. Companies relying on OpenSSL to safeguard consumer data are scrambling to fix the gaping hole that was reported on last week.

What hasn’t been clear since it was reported was which sites have been affected. Mashable and Github have compiled sites which appear to have been compromised. The Heartbleed bug has been known about for more than two years but it’s still not clear how long it has existed or how many sites are actually affected regardless of the doomsday scenarios that keep making headlines. In fact, it appears that the Heartbleed security flaw may not be as dangerous as thought.

Continue reading