An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.
We’ve put together the following guide to the “Heartbleed bug” for those who want to understand what all the fuss is about and how they can protect themselves.
What is the Heartbleed bug?
Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by the majority of sites on the web that need to transmit data users want to keep secure. It basically gives you a “secure line” when you’re sending an email or chatting on IM.
Encryption works by making it so that data being sent looks like nonsense to anyone but the intended recipient. Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, so it will send out what’s known as a “heartbeat,” a small packet of data that asks for a response.
Due to a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end of a connection into sending over data stored in its memory.
According to the researchers who discovered the flaw, the code has been in OpenSSL for approximately two years, and utilizing it doesn’t leave a trace.
How bad is that?
It’s really bad. Web servers can keep a lot of information in their active memory, including user names, passwords, and even the content that user have uploaded to a service. Even credit card numbers could be pulled out of the data sitting in memory on the servers that power some services.
But worse even than that, the flaw has made it possible for hackers to steal encryption keys, the codes used to turn gibberish encrypted data into readable information. With encryption keys, hackers can intercept encrypted data moving to and from a site’s servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.
How do I know if I’m affected?
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.
When it comes to security online, we always recommend being proactive and protecting yourself first and foremost, so here are a few action items that you should take today to protect your data.
Immediately change all your passwords
This is the first step no matter what the security risk. Any time you feel your data has been compromised, you should always change all of your passwords. This includes your email, banking, social media — literately any website that has a password that you use frequently needs to be changed. As the HeartBleed bug may have exposed your login credentials, we recommend immediately changing all of them to ensure no one else has access to any of your accounts. If you’re not sure which sites were affected, we have the perfect chart for you below, created by the “digital forensic specialists” at LWG Consulting:
Choosing strong passwords and changing regularly is still the best practice and this should prompt you to be safe and change all of your passwords even if only as a precaution.
Monitor your identity and personal accounts closely
As with any potential theft of personal data, you should closely monitor all your accounts moving forward. Watch activity on your all your accounts from credit reports, bank and credit statements as well as any other personal accounts like emails for any suspicious activity. Since the HeartBleed bug may have allowed people to see the data you were submitting on secured forms, potentially, they could have gained enough information to steal your identity. Closely monitoring your accounts will help you take quick action in the event your personal details were compromised.
Be vigilant for phishing attempts
Phishing attempts have been a favorite of con artists for a while now and they are constantly looking for ways to make their attempt seem more legitimate. If they were able to use the HeartBleed bug to gain some personal information, like a bank account number or password, they may use it in an attempt to gain more information from you. Never respond to unsolicited emails or telephone calls asking for your personal information and always ensure you only update information on the legitimate websites. Banks and credit card companies will never ask for information via email, only on secured forms.
For more information check out the BBC’s information on HeartBleed by clicking here.