Don’t Bleed Out from Heartbleed
The beginning of April brought the discovery of a major bug named Heartbleed that’s affected two-thirds of websites and applications, exposing users to information theft.
While we’ve been busy making all necessary patches, updates and password changes for our clients, we wanted to take the time to explain to you exactly what Heartbleed is, what it’s affected and what to do.
What is the Heartbleed bug?
A website or application that transmits sensitive information needs to be secure. To be secure, it uses one of the security protocols that have been developed to keep the information protected and encoded. One of the most common is called Open SSL (Secure Sockets Layer), which is developed by a volunteer team of programmers all over the world.
One of the newer parts of OpenSSL is the Heartbeat feature, which lets two applications confirm that they’re still both on a secure connection with each other. The sender sends a request to the server: “If you’re still on the connection, send back the 3 letter word boy.” If the server sends back the word “boy”, the connection is confirmed and they continue to transmit information securely.
The bug is that the requested word length (3 letters for boy) can be changed to be longer than the confirmation word (say 400), causing the server to send back the word plus all the data that was processed by the server right before the request (397 characters worth). The following cartoon by XKCD provides a great visual explanation.
What’s the issue?
The information that the attacker would see could contain any of the following (from least problematic to most problematic):
1) protected content like personal or financial details, emails or other communications
2) usernames and passwords – which would enable the attacker to take control of users’ accounts
3) the private encryption key – which would enable the attacker to understand any future communication by the server (even encrypted) and to impersonate the server
You could be affected if:
1) the server was processing your information right before an attack
2) the private key was part of the information accessed in an attack, leaving the server itself open to infiltration without needing the Heartbleed bug
What should you do now?
Check if any of the secure sites/services you use were running a vulnerable version of OpenSSL.
Have they patched (fixed the issue) yet?
If they have, change your password.
If they haven’t, wait to change your password until they do. Even if you would change your password now, an attacker could still get it through an attack, or they could use the private key to decipher your password from encrypted info. They may be giving updated on their sites, or email them asking what they’ve done and if you should change your password yet or not.
Here’s a list of highly-used sites and their Heartbleed status. Sites that were vulnerable include Facebook, Gmail, Pinterest, Yahoo, Godaddy and Minecraft.
Even the Healthcare.gov site was affected.
Thought to be an oversight, rather than a deliberate misprogramming, the Heartbleed bug did show the dangers of relying on open source software for critical functions. OpenSSL itself has been fixed. Both the volunteers to create open source software, and the community that uses it, will have an eagle eye open in the future.