Losing all your data in a Heartbeat
What is Heartbleed?
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. Even if youâ€™ve never heard of OpenSSL, itâ€™s probably a part of your life in one way or another. The bug allows potential hackers to take advantage of a feature that computers use to see if they’re still online, known as a â€˜heartbeat extensionâ€™. A malicious heartbeat signal could force a computer to divulge secret information which it has stored in its memory.
Why should you be concerned?
Most of the apps you use or the sites you visit will likely use OpenSSL if they encrypt the data they send back and forth. Open source software facilitates communication over the SSL protocol and about 50% of the worldâ€™s â€œsecureâ€ websites were said to be vulnerable to the bug. Typically, OpenSSL is present on servers running Apache which is the dominant web server today with more than half of the internetâ€™s active sites running on it. Sensitive data often sits in a serverâ€™s system memory, including the keys it uses to encrypt and decrypt communication such as usernames, passwords, credit cards, etc. This means an attacker could quite feasibly get a server to divulge secret keys, allowing them to read any communication that they intercept as if it wasnâ€™t encrypted. Armed with those keys, an attacker could also impersonate an otherwise secure site so that it would fool many of your browserâ€™s built-in security checks to pass on your secure data such as credit card details. It also compromises the session keys that keep you logged into a website, allowing an outsider to pose as you – no passwords required. It will also allow attackers to pose as a real website and fool you into giving up your personal details.
It appears that exploiting the Heartbleed bug leaves no trace in the server’s logs so you may never know when or if you’ve been hacked. There’s no easy way for a system administrator to know if their servers have been compromised; they just have to assume that they have been.
So what can I do?
You may have read that you should update all your passwords and make them more secure, well as the bug has been around since December 2011, it’s going to take some time for websites themselves to be updated with a new version of the encryption software to fix the bug. That’s why changing all your passwords right away isn’t a good idea. Websites are all racing to fix the issue, and if you act too quickly, you might change your password on a site that is still vulnerable. Major websites are patching the hole, but the job won’t be complete until all websites purge all the old keys they’ve been using to encrypt data.
Websites such as Amazon, Google and Yahoo have patched their encryption software already so it would be worth changing your passwords on these sites but many more have yet to apply the patch.