Code-named “The Heartbleed Bug”, news of this serious vulnerability has been spreading rapidly through your media outlets. It’s not unlikely that you’ve heard something about it recently, and at first glance it sounds to be an incredibly large loop-hole. Warnings of the vulnerability of sensitive data with your online accounts have run rampant to a point of near mass-hysteria. Is Heartbleed actually that dangerous? The simple answer is yes, but there are caveats that lessen haze of gloom and doom surrounding it. We’ll explore the facts below and touch on some utilities and other methods for making sure your information is safe.
First, let’s figure out exactly what Heartbleed is, and why it has had so much attention. The World Wide Web is a complex network of servers and clients interconnected to share and deliver information to anyone who requests it. Some of this information is considered sensitive, and such has a level of security to protect the privacy of the owner of that information. A simple example of this type of information is a username and password for some online account. It can extend to much more sensitive information however, like your address or even a credit card. To keep your information secure all of this data is encrypted using a service called SSL or TLS. Without going into great detail, this encryption makes it so that you and only you can retrieve your information as long as you can prove you are who you are. That sounds very abstract but it’s really straightforward. You login to your account using a username and password, once that combination is verified you are given a higher level of access to retrieve information pertaining to your account. Heartbleed is a vulnerability in one of the most popular cryptographic software libraries called OpenSSL. As a user you would notice this type of encryption on a site by the typical “https://” preceding a URL. OpenSSL is the default encryption engine for Apache and nginx. According to Netcraft [http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html], Apache and nginx accounts for 66% of the websites on the internet. OpenSSL extends beyond just the internet as well, including instant messaging services and email.
Crucially, the level of access that is gained through the exploit gives access to up to 64 kilobytes of memory from the server running a vulnerable OpenSSL version. Depending on what is currently stored in the memory at the time of the attack, a hacker could gain access to usernames and passwords, other form data like addresses or credit cards, or even more crucially a certificate key that would allow the hacker to decrypt all of the encrypted information being sent to and from the server. The latter means the potential for full-access to encrypted data, no matter what it is, certainly an alarming prospect. The situation is worsened by the fact that this loophole has existed in this version of OpenSSL for nearly 2 years!
(Image credit to Dilbert.com)
So what’s the good news? The Heartbleed Bug was discovered by a group of “White Hat Hackers”. A White Hat Hacker is an individual who as a hobby or as employment on behalf of a company, attempts to hack a system in order to expose security loopholes, so that those loopholes can be closed. At this point in time there is no evidence that this vulnerability has been used by any group with malicious intent. Luckily it was found by the “good guys” so to speak, and hosts who manage servers were alerted to update their OpenSSL software in order to patch the vulnerability. There also haven’t been any indications that this loophole has been exploited in the past 2 years. Essentially, the internet dodged a bullet.
Most of the companies who manage these servers have already performed their update to OpenSSL, closing the Heartbleed loophole. This prevents an attack now or in the future, but if your server was already attacked, it’s possible that your information has already been compromised. You should take that with a grain of salt though. This type of hack would target a website where the hacker can get the most bang for their buck, for example a large site like Facebook is much more likely to be a target than a typical business website. Facebook has lots of personal information stored, where a hacker could potentially gain access to other important accounts.
Ultimately, it is very unlikely that any of your information has been compromised from this bug. If you want to ensure your information is safe there are some simple steps you can follow. First, use one of the following test utilities to test the website you are concerned about and check whether it is still vulnerable to Heartbleed. If it is still vulnerable, don’t do anything until you see that it is secured. If you are concerned nothing is being done to secure the site the only thing you can do is contact the website to check on their progress concerning Heartbleed. If the website shows as secure from Heartbleed, all you have to do is change your password. You should of course follow typical strong password recommendations. Your password should always include 1 or more symbols, 1 or more numbers, 1 or more capital letters, and be as long as possible. They also shouldn’t be anything personal or easy to guess, for example, don’t use any numbers from your birth date in a password as these are easy for anyone to find on Facebook and guess.
Heartbleed Testing Tools
In an abundance of caution, Upright has already verified the servers that our clients’ websites are hosted on were patched with the new OpenSSL and affected sites passwords have been changed.