Recently an emergency security advisory from the OpeSSL project was issued warning about a bug known as “Heartbleed” which revealed an encryption flaw that was quickly labeled as one of the biggest security threats the Internet has ever seen — despite the fact that the National Security Agency (NSA) has known about and allegedly exploited it since it was discovered (link: http://rt.com/usa/nsa-knew-heartbleed-hacking-years-004/) — that has affected an unknown number of popular websites and services, many of which you might use everyday like Gmail and Facebook. Visiting the breached sites may have quietly exposed your passwords and credit card numbers to those exploiting the vulnerability over the past two years.
The “Heartbleed” label sounds a little melodramatic, and was originally reported as having the potential to live up to the hype. The bug was reportedly named by an engineer at Codenomicon, a Cyber-security company with offices in Finland and Silicon Valley. Heartbleed was discovered separately and simultaneously by Google security researchers and engineers at Codenomicon. Both teams found that OpenSSL, an open-sourced security encryption program used by an estimated 66% of Internet servers, contained a flaw that allows any hacker using a simple script to gain access to treasure troves of personal information on those affected servers.
OpenSSL contains an extension called Heartbeat, which, when affected by the bug, bleeds out the important information from the memory. By running the exploit, a hacker could download countless emails, passwords, user IDs and loads of other personal information in a matter of seconds. An updated version of OpenSSL has been released so sites can use it to fix the bug, but in addition to updating OpenSSL, affected sites will need to update other pieces of their security protocols known as keys and certificates used to help them confirm the identity of their users. Companies relying on OpenSSL to safeguard consumer data are scrambling to fix the gaping hole that was reported on last week.
What hasn’t been clear since it was reported was which sites have been affected. Mashable and Github have compiled sites which appear to have been compromised. The Heartbleed bug has been known about for more than two years but it’s still not clear how long it has existed or how many sites are actually affected regardless of the doomsday scenarios that keep making headlines. In fact, it appears that the Heartbleed security flaw may not be as dangerous as thought.
THERE ARE STILL MANY UNKNOWNS ABOUT THE HEARTBLEED BUG
Security experts are recommeding that you change your passwords immediately on sites that were affected and that you wait to change your password on sites that haven’t patched the leak yet. It’s a little confusing because the security experts are saying that once an affected company has applied the patch they should send you an email telling you to change your password, but because so many experts are telling everyone this, there is the fear that hackers will send bogus emails telling you the leak has been patched and that you need to respond to the link in that email to change your password. If the email is from a hacker, you will be taken to a phished site — a phony site made to look real — to enter your password so it can potentially be stolen again.
Consequently, the same Security experts are telling you not to click on the links in the emails telling you the vulnerability has been fixed. If you changed your password because a site was affected, chances are you’ll have to change your password again. It’s best to wait a few weeks until the confusion/misinformation settles down and avoid doing online banking or conducting too many secure transactions online. Every reputable company affected by the Heartbleed bug should have patched the leak by then.
As mentioned above, you can check Mashable and Github for updated lists of companies affected and check the Heartbleed checker site or this site to see if a compay not listed is affected. Changing your password regularly is usually good practice and it’s not a good idea to use the same password on multiple sites.
If the worst-case scenario is true — criminal enterprises, Intelligence agencies, and state-sponsored hackers have known about the Heartbleed vulnerability for more than two years and used it to sysematically access everyone’s encrypted data — then no one who does anything online is safe and password changes are necessary. Don’t panic yet though because we still don’t know how close we are to he worst-case scenario. In fact, there are still many things we don’t know about this vulnerability at all. For a better understanding of how the vulnerability works and how it could affect you, see this piece by Rusty Foster in the New Yorker and see these tips on avoiding and protecting yourself from Identity Theft from the U.S. Public Interest Research Group.