What if there was a security breach on the World Wide Web that lasted two years and left most of the internet exposed to hackers behind everyone’s backs? Sound like a plot line from “24” (which incidentally rolls out a new season in just a few days).
Well, it happened.
Nicknamed “Heartbleed” for what it actually did to websites: it wasn’t a hack, it was a mistake.
“What happened was a programmer back in 2011 was updating a popular open source security toolkit used by many across the web — and he inadvertently introduced a bug in the code that hackers were able to exploit,” said Craig Waterman, a software engineer at Terakeet, a leading search engine optimization company based in Downtown Syracuse.
“Websites that use the broken version of the popular software – OpenSSL – are open to attacks which reveal portions of the underlying computer’s memory,” continued Waterman, “Hackers send a specific message to an affected website and receive back a random chunk of memory which often contains vital information such as usernames and passwords. In addition—and much more serious—are occurrences where that chunk of memory contains the website’s private encryption keys, allowing hackers to decrypt all traffic to and from the vulnerable site.”
“Most websites that used the broken version of OpenSSL were vulnerable, along with many other internet connected devices,” he said.
Is It Fixed?
The broken code has been patched, and businesses have been rushing to upgrade affected servers, removing the vulnerability, said Waterman. He said it was conjecture as to who would continue to monitor open source security code in the future. Companies, however, as a whole are going to be much more cautious.
Several large companies, such as Apple and major banks such as Bank of America, Capital One, Citigroup, and Chase were unaffected, having used, or in Apple’s case, developed their own security software to protect themselves.
What to Do
Matt Wagner, a programmer analyst at D&W Diesel, an auto parts re-manufacturer based in Auburn, NY, described what companies and the “average Joe” need to do right now.
Quoting an expert software engineer, Wagner said “anything” was open on sites that used the compromised software.
However, “because it is a server-side bug, companies are primarily the ones who need to patch their servers to fix the issue,” said Wagner, “It is not helpful to change your passwords before the deeper problem has been fixed, otherwise a hacker would see your new password just as clearly. Many sites that were affected have sent out notifications alerting users to change their passwords (I had to do several myself so far).”
Wagner shared a link to a post on Mashable.com listing popular websites that were or were not affected and, importantly, “What Passwords You Need to Change Right Now.”
A breath of fresh air: “You’ll see that most financial institutions were not affected at all,” said Wagner. However, “People should check with their bank or credit union to ask if they were affected and if so what action they need to take,” commented Waterman, “They should at least have a statement on their website concerning the Heartbleed bug.”
On a lighter note, “The comic XKCD sums up the Heartbleed bug quite nicely,” he said.
“Heartbleed is a big deal,” said Thomas Hart, a local web application developer, “It is the most serious security issue the connected world has ever seen and we will be discussing it for years to come. The fact that such a serious issue could exist for so long highlights the gap between how safe we think our data is and the realities of computer software. The scary part is the mistake that caused all of this was a relatively easy one to make and difficult to spot. One small oversight by one programmer in one bit of code has made the data of millions of people vulnerable. It was an easy mistake, but will be a difficult resolution based on the time this issue has been in the wild.”
Yeah, two years!
Wagner mentioned the conjecture that the NSA has known about the bug and has used it to spy on people the whole time. Experts also underline the fact that many cyber criminals were exposed due to Heartbleed.
Hart provided a link to check your site out to see if it is exposed.
“Be smart,” says Wagner, “Lookout for fraudulent emails that are trying to steal login credentials. Usually, banks do not request your login information via email, ever.”
“Check that list!” he said, “And keep an eye out for the little green padlock that appears in the address bar.”
With much of the world as we know it being so connected to the internet, it’s scary how easily we can be exposed. Smart people take heed: check out the info now available and make sure you are protected.
For more TECH – CLICK HERE
A former Internet Marketing Manager, Joe Cunningham is a screenwriter, playwright and all-around adventurer. He blogs for Kinani Blue, charms Google at Terakeet and enjoys running through the city. You can follow him on Twitter at @IndianaJoe77 or he can be reached at firstname.lastname@example.org.