There is a new security threat that is taking the internet by storm. A major new security flaw named the Heartbleed bug was disclosed a couple days ago and is thought to have severe implications for the entire Web. The bug can scrape a server’s memory, where sensitive user data is stored.
People all across the internet are vulnerable to having their passwords and other sensitive data stolen. While it has been a long time since the public has had to worry about a computer security bug it seems like computer users may all have been facing this one for the last couples of years without even realizing it. To give you an idea of just how bad this problem truly is this article will provide you with all the necessary information concerning the heartbleed bug. Please be advised do not panic yet and be sure you read all of the information concerning the issue before making any decisions about your online information and understand this mainly effects the internet, and not your personal PC.
What’s Heartbleed Bug
A few days ago, security researchers announced there was security flaw in OpenSSL. So what exactly does that means? To sum it up the OpenSSL is a popular data encryption standard, that gives experienced computer hackers the ability to extract massive amounts of secured data from a variety of services that computer users utilize every day and considered to be the most secure. So why not fix the problem? Unfortunately this is not simply a bug in some phone or computer app that a quick update can mend. The vulnerability stems from machines that power the services that transmit the secure information across the web, such as Facebook, Yahoo and Gmail. Still confused? Well this article will provide you with the necessary information so you are aware of the problem and some things you can do to combat it from your home.
How does Heartbleed Bug work?
Heartbleed is a new security flaw in OpenSSL, the open-source encryption standard used by many websites and transmit the data that users want to keep secure. Basically an OpenSSL gives users a secure line when using email or IM chatting. Encryption works by making it so that data being sent looks like nonsense to anyone but the intended recipient. Every once in a well, one computer might need to check if there is still a computer at the end of the secure connection, and it will send out a small signal what is commonly referred to as a heartbeat that is essentially a small packet of data that requests a response. Because there is a programming error in the implementation of the OpenSSL, computer analyst have discovered that it was possible to send a well-disguised packet of data that looks identical to one of these heartbeats to trick the computer at the other end into sending the data stored in its memory.
This flaw was first reported to the creative team behind the OpenSSL concept by Google security researcher Neel Mehta. According to the researchers the security bug has been in the OpenSSL for approximately two years.
Where did it come from?
Over two years ago a German developer named Robin Seggelmann introduced a new feature to the OpenSSL encryption. A few days ago a vulnerability was discovered in that addition that is responsible for what may be the biggest Internet security flaw in history. Seggelman announced the vulnerability was “unfortunately” missed by him and a reviewer of the encryption when he introduced the new fixes and features into the OpenSSL. He also stated the vulnerability in the code was purely as a mistake, and that there were no malicious intentions behind the incident.
Is this bad?
This is bad, this is very, very bad. Not only is Heartbleed bug a security threat to essential information but the bug does not leave a trace. Web servers keep an abundance of information stored in their active memory, such as usernames, passwords, and even content that users uploaded to the service’s website. Still not sure of the threat? Did you know credit-card numbers could be pulled out of a server’s memory? It’s true. The data sits within a server’s memory and a single Heartbleed bug can retrieve this information. It gets worse. The security flaw has made it easier for hackers to steal encryption keys which are the codes used to turn gibberish-encrypted data into readable information.
With encryption keys, hackers are able to intercept secured data moving to and from a site’s servers. Once retrieved hackers are able to read it without establishing a secure connection. This means that unless companies start running vulnerable servers change their keys and future traffic will be susceptible to be stolen. Need more convincing to be worried? Wondering still how all of this will affect you? Once again, this is not as simple as an updated issue on your personal computer or your phone but is apart of the software that powers services you use on a daily basis. Computer users are very likely to be affected either directly or indirectly.
OpenSSL is the most widely used open source cryptographic library and TLS implementation used today to encrypt traffic over the Internet. To sum it up once more, popular social media sites, your company’s site, commercial sites, hobby sites, and sites users typically install software from and possibly even sites ran by governments are considered vulnerable to this OpenSSL Heartbleed bug. While Yahoo has confirmed to be infected by the Heartbleed security threat, there are a few other companies which may have been infected. These sites include: Google, Dropbox, the Canada Revenue Agency, and GoDaddy. There are sites that confirmed they have not been infected by the security threat as well. The sites which have been confirmed include : Twitter, Amazon, Tumblr, the Canadian Bankers Association, Paypal, and Evernote.
How to protect yourself from heartbleed bug?
For almost two years now the vulnerability has been in OpenSSL and has left no trace you should assume that your accounts quite possible has been compromised. Be sure to change all your online passwords, especially for services where there is concern for privacy and security are major. However it is possible many sites have not upgraded to software that does not contain the bug, so immediately changing any information may still not help. It is frustrating but true. The researchers that found the flaw let the developers behind OpenSSL encryption know days before making the announcement concerning the vulnerability, so it was hopefully fixed before word got out a couple days ago.
Most major service providers are working on updating their sites, in hopes the bug will be less prevalent over the next coming weeks. However there are a few things researchers has released users may be able to do to minimize the risk at home. Do not under any circumstance log into accounts from afflicted sites until the company has fixed the problem. If you are unsure or it the company hasn’t been forthcoming reach out to the company’s customer service teams for information.
Some of the web sites that have been confirmed as infected included Yahoo and OKCupid, although the companies have reported their sites are all or partly fixed. Users are able to check on an individual basis though caution is still advised even if the site is “all clear”. If the site is given a red flag it is important to avoid the site for now. The natural response is to panic and want to change passwords immediately, but security experts advise waiting for confirmation of a fix because further activity could exacerbate the Heartbleed bug problem.
Once confirmations of a security patch is announced it will be okay to change passwords of sensitive accounts like banking accounts and email. What if I have my own secure line? Even if you implemented a two-factor authentication changing your passwords is still recommended for precaution. As the saying goes better safe than sorry.
Please, do not be shy about reaching out to businesses that have your personal information to make sure they are secure.High-profile companies like Yahoo and Imgur have already announced their breach and are currently working on the issue, however smaller businesses may not even be aware of it. Please Be proactive about making sure all your personal information is kept safe. It is important to keep a close eye on financial statements over the next few days since attackers are able to access a server’s memory for credit card information. Although most people do not like checking the account these days it would not hurt to be on the lookout for unfamiliar charges. Unfortunately be aware even though you follow these guidelines there will still be some risk in surfing the Web.
The Heartbleed bug is even said to affect browser cookies, which track user activity on websites. This means even visiting a vulnerable site without logging in could be risky for the user. While it is may seem unreasonable, it has been suggested users stay off of the internet entirely over the next couple days until companies are able to fix the issue. So however you choose to handle the issue be aware this security threat is out there and users need to understand the implications of the Heartbleed bug.
RESOURCES:
- WordPress Users Please install this plugin
- Server admins Please run this on your servers
CentOS:
yum update opensslUbuntu:
apt-get update openssl
For more information please visit:
http://filippo.io/Heartbleed/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://heartbleed.com/
Leave a Reply