heartbleed

Heartbleed Bug Lays System Memory Open for Attackers

There’s a security bug that affects the security of nearly every user—and it may have been around for the past two years without anyone realizing it. 

What is OpenSSL?

OpenSSL is an extremely popular data encryption standard, and it’s used by a wide variety of different services, some of which you probably use on a daily basis—and it’s in OpenSSL that this dangerous security flaw lies. That’s huge news, and bad news, for users everywhere, because OpenSSL is part of the security used in email services, social media sites, hobby sites—basically, almost everywhere that the user enters transferable information. The point of OpenSSL is, simply put, to disguise the information you’re sending, while it’s in transit, so an intercept can’t read encrypted usernames, passwords, IMs, and so forth while you’re sending them.

What does the Heartbleed Bug Do?

When two computers are connected, they’ll occasionally send one another “heartbeats;” that is, a packet of data that queries whether or not the other computer is still responding to the connection.  The flaw in OpenSSL allows the sending computer to substitute something else for a “heartbeat.”  Instead of a simple query, it sends a request that triggers the other computer to sending certain data that’s been stored in its memory.  Worse yet, exploiting the Heartbeat Bug to do this doesn’t appear to leave any evidence behind.

What kind of Data is Compromised?

The use of the Heartbleed Bug has compromised an incredible range of data that appears to be limited only by what’s stored in the memory of the computer being queried.  And since OpenSSL is used on servers around the world extensively, and by many large services—Google, Facebook, Tumblr, and Yahoo, to name a few—the sky’s the limit.  Passwords, usernames, credit card numbers, and even security encryption keys.  The fact that Heartbleed can coopt encryption keys is particularly ominous, because it means that hackers won’t even need to establish a secure connection to steal encrypted data from sites whose keys they’ve stolen, and they’ll be able to decrypt it.

How was the Heartbleed Bug Found?

The Heartbleed Bug was actually discovered by two separate entities—Google, Inc. and Codenomicon, a Finnish firm that specializes in security.  Neel Mehta, a security researcher from Google, was the first to report the exploit to OpenSSL’s development team.

How Bad is It? When Will it be Fixed?

As of the morning of April 8th,  Netcraft found that half a million sites were found to be vulnerable.  That’s hardly a surprise given that more than 40% of Web servers are Apache and OpenSSL is the default security encryption option for Apache Web servers.  Each affected service will need to implement the recently released update to OpenSSL before their data can be considered secure.  They’ll also need to alter their security encryption keys, on the chance that those keys were compromised as well.

What Should Users Do?

First and foremost, they should be changing their passwords.  All of them.  OpenSSL was used by Tumblr, Facebook, Imgur, Dropbox, Microsoft, Twitter, OKCupid, Amazon and others.  Corporate networks also tend to rely on OpenSSL. Most, if not all, of these services have already corrected or are in the process of correcting the flaw, but that doesn’t secure any information stolen prior to the fix.

How Bad Will the Fallout be?

It’s unknown right now just how bad the repercussions of the Heartbleed Bug will be, because it’s unknown whether or not the security flaw in OpenSSL was being widely exploited before it was found.  The bug was found during research, not because hackers were found to be using it. Because it’s been accessible for two years, the consequences could be staggering.  However, it’s possible that few, if any, hackers were aware of the flaw before it was revealed by researchers.