x

tech

Heartbleed Bug Hits The Internet: What Is It? How Does It Affect Me? What Should I Do?

The bug has affected many popular websites and services and could have quietly exposed your sensitive account information. The heartbleed bug in short, is a nightmare. So how can you protect yourself now?

Cover image via imgur.com

These Are The Sites Where You Should Change Your Password Right Away

Image via LastPass

ALSO, if you use Chrome as your browser, download this extension : It will let you know if the site you are browsing is affected by Heartbleed. It's an adaptation of Valsorda's site.

policymic.com

Multiple popular websites were exposed to a major Internet bug called Heartbleed earlier this week. As much as 66% of the web may have been compromised by Heartbleed.

Image via mshcdn.com

Some websites running SSL encryption, such as Airbnb, Pinterest, USMagazine.com, NASA, and Creative Commons, among others, were exposed to a major security bug called Heartbleed on Monday. The bug was reportedly discovered by a member of Google's security team and a software security firm called Codenomicon.

mashable.com

The bug affects web servers running Apache and Nginx software, and it has the potential to expose private information users enter into websites, applications, web email and even instant messages. And while most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information.

sci-tech-today.com

What is Heartbleed?

Image via wordpress.com

Basically when you make a transaction online today, whether it’s a bank or credit card company, part of what ensures security is a protocol called SSL. It’s just a way to encrypt the data so that nobody can read it when it’s being transmitted from you to the bank or another company. What Heartbleed is is a way that an attacker can steal bits of information about that transaction — things you thought were being safeguarded. The attacker can start reading data about a transaction and learn things like your passwords and credit card numbers that you thought were kept confidential.

nytimes.com

Heartbleed is a serious security threat that has the potential to expose users' private information, including passwords, financial details and instant messages, among other things

The Heartbleed bug compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content... As long as the vulnerable version of OpenSSL is in use it can be abused

Image via mshcdn.com

How did this happen?

Image via bwbx.io

What happened was, two years ago there was a programming flaw put into this thing called OpenSSL, an open-source implementation of the SSL protocol. A lot of websites use OpenSSL to achieve security. What happened in these cases is that these programs are very complicated, and when things are very complex, some flaws can be missed. It may have been there all along, but it was just hidden in plain sight from the perspective of everybody else.

troyhunt.com

But how could the flaw not get noticed for two years?

The Heartbeat protocol is a sub-part of SSL. Heartbeat is meant to ensure communications are kept alive. So when two people are communicating and there hasn’t been any communication for a while, it keeps the communication line alive for a bit — it keeps a session alive so it doesn’t get taken down. What would typically happen in SSL is the communication would get terminated immediately. Heartbeat is not the main part of SSL. It’s just one additional feature within SSL. And as an additional feature, it may not get as much scrutiny as the main part itself. So it’s conceivable that nobody looked at that code as carefully because it was not part of the main line.

nytimes.com

You're likely affected either directly or indirectly by the bug, which is not the actual bad news. The actual bad news is that:

There's not a lot you can do about it now. It's the responsibility of Internet companies to update their servers to deal with Heartbleed, and once they do, you can take certain action.

mashable.com

The issue involves network software called OpenSSL, which is an open-source set of libraries for encrypting online services. Secure websites — with “https” in the URL ("s" stands for secure) — make up 56% of websites, and nearly half of those sites were vulnerable to the bug. In theory, a cybercriminal could have exploited Heartbleed by making network requests that could piece together your sensitive data.

mashable.com

However, there is also a good news

There isn't any indication that a hacker caught wind of this; it seems the researchers were the first to locate the problem. But the scary part is that attackers could have infiltrated these websites, extracted the information they wanted and left no trace of their presence. Thus, it's hard to determine whether someone ever exploited the bug, or if your account information was compromised.

indiatimes.com

So, what, as a user, are you supposed to do?

Image via mshcdn.com

First, check which sites you use are affected. If you don't want to read through the long list of websites with the security flaw, the password security firm LastPass has set up a Heartbleed Checker, which lets you enter the URL of any website to check its vulnerability to the bug and if the site has issued a patch.

mashable.com

Next, change your passwords for major accounts — email, banking and social media logins — on sites that were affected by Heartbleed but patched the problem. However, if the site or service hasn't patched the flaw yet, there's no point to changing your password. Instead, ask the company when it expects to push out a fix to deal with Heartbleed.

huffingtonpost.com

A big cause for concern is related to sites that have your sensitive information, such as Yahoo and OKCupid (most people aren't logging into NASA.gov with private data). Both companies have since issued a patch to fix the security hole, so users with accounts with those companies — including Yahoo Mail, Flickr and so on — should update their passwords immediately.

mashable.com

Facebook and Twitter use OpenSSL web servers, though it's still unclear whether or not they were vulnerable to the issue. Facebook reportedly issued a security patch, as did Google. Other websites that have issued an OpenSSL software security update include WordPress, Amazon Web Services and Akamai. Some websites not considered vulnerable include AOL, Foursquare and Evernote, among others.

huffingtonpost.com

Make sure to keep an eye on sensitive online accounts, especially banking and email, for suspicious activity for the next week or so.

mashable.com

At this point, it isn't clear which sites have been affected and no one is certain if hackers were aware of the bug prior to the outbreak

Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you'll need to go in and change your passwords immediately for these sites. Even that is no guarantee that your information wasn't already compromised, but there's no indication that hackers knew about the exploit before this week.

mashable.com

REMEMBER: Changing your password regularly is always a good practice

Image via mshcdn.com

These were the 25 WORST passwords of 2013

Other related story on SAYS: