Called "one of the biggest security threats the Internet has ever seen," the Heartbleed Bug has been quietly causing destruction for over two years. It is time to address the problem. SLICE tells you how.
The Heartbleed Bug
“Heartbleed” may sound familiar. No, it isn’t the name of that band you saw in concert when you were going through an emo phase. It sounds familiar because it has been the topic of numerous news articles and the cause of much panic in the last week or so. In a crisis, there is no shortage of conflicting information. Allow SLICE to brief you on the truth about Heartbleed and advise you on how you can protect yourself as well as your business from this very real threat.
What Heartbleed Is and What It Does
The Internet’s speed and seemingly boundless potential can make it easy to forget that all online activity is the result of a series of encrypted messages being transmitted, received, and decrypted. Although different encryption codes exist, two-thirds of all websites are powered by a type of encryption software called OpenSSL. OpenSSL issued from December 2011 onward features something called a “heartbeat extension,” which limits the time an encrypted session stays valid. CVE-2014-0160, better known as the Heartbleed Bug, is a glitch present in some versions of the software characterized by the absence of a bounds check, a necessary verification, in the heartbeat extension. This lack of a bounds check exposes the contents of the website server’s memory which makes it easy for hackers to steal users’ passwords, credit card numbers, and other personal data. It also enables hackers to obtain copies of the server’s digital keys which they can use to impersonate servers and to decrypt past and possibly even future communications. Versions of OpenSSL infected with the Heartbleed Bug have been in use for over two years, but experts fear the media attention the vulnerability’s recent discovery has received will inspire previously oblivious hackers to seize the opportunity for theft.
What You Can Do About It
Soon after news of the virus broke, Italian cryptography expert, Filippo Valsorda, developed a test to check web addresses for the Heartbleed Bug. The infected include Instagram, Gmail, and many other websites and services on which individuals and business owners alike commonly rely for communication and personal/professional brand promotion purposes. The idea of hackers having had ready access to users’ most personal information for more than two years is a scary one. While there is no way to reverse the damage already done, there are ways to prevent the Heartbleed Bug from wreaking further havoc.
If you are the administrator of a website that runs on Apache or Nginx server software, this test, created by Cloud security company, Qualys’ SSL Labs, can reveal whether or not the website’s security has been compromised by the Heartbleed Bug. If the test proves the website afflicted, install the latest version of OpenSSL, 1.0.1g to patch the security flaw. Many popular websites have reportedly done so.
As website administrators scramble to protect users, SLICE recommends users take steps to protect themselves. For starters, check this list of the statuses of the most popular websites and services to see if the ones you frequent have been affected by the Heartbleed Bug:
· Affected:
o Facebook
o Instagram
o Pinterest
o Tumblr
o Google
1o Yahoo
o Amazon Web Services (for website operators)
o Etsy
o GoDaddy
o Intuit (TurboTax)
o USAA
o Box
o Dropbox
o GitHub
o IFTTT
o Minecraft
o OKCupid
o Soundcloud
o Wunderlist
· Unaffected:
o LinkedIn
o Apple
o Amazon
o Microsoft
o AOL
o Hotmail
o EBay
o Groupon
o Nordstrom
o PayPal
o Target
o Walmart
o Bank of America
o Barclays
o Capital One
o Chase
o Citigroup
o E-Trade
o Fidelity
o PNC
o Schwab
o Scottrade
o TD Ameritrade
o TD Bank
o T. Rowe Price
o US Bank
o Wells Fargo
o 1040
o File Your Taxes
o Healthcare.gov
o TaxACT
o Evernote
o Hulu
o Spark Networks
o SpiderOak
o 1Password
o Dashlane
o LastPass
· Status Unclear:
o Twitter
o H&R Block
o IRS
o Netflix
o WordPress
Change your passwords on infected websites, even those that claim to have fixed the issue, as it is better to be safe than sorry. If your web browser is Google Chrome, you may want to download its Chromebleed extension, which warns you if the website or Google search result you are viewing is afflicted by the Heartbleed Bug. Furthermore, pay attention to bank and credit card statements. Unusual activity may reflect identity theft committed by a hacker who took advantage of the Heartbleed vulnerability.
For all of the ways the Internet enhances personal and professional life, using it involves an element of risk. Heed our advice and minimize it.