It's been a while since there was a computer security bug we
all had to worry about.
Unfortunately, it seems like we may all have been facing one
for two years and not even realized it.
The day before yesterday, security researchers announced a security
flaw in OpenSSL, a popular data encryption standard, that gives hackers who
know about it the ability to extract massive amount of data from the services
that we use every day and assume are mostly secure.
This isn't simply a bug in some app that can quickly be
updated - the vulnerability is in on the machines that power services that
transmit secure information, like Facebook and Gmail.
We've put together the following guide to the
"Heartbleed bug" for those who want to understand what all the fuss
is about and how they can protect themselves.
What is the Heartbleed bug?
Heartbleed is a flaw in OpenSSL, the open-source encryption
standard used by the majority of sites on the web that need to transmit data
users want to keep secure. It basically gives you a "secure line"
when you're sending an email or chatting on IM.
Encryption works by making it so that data being sent looks
like nonsense to anyone but the the intended recipient.
Occasionally, one computer might want to check that there's
still a computer at the end of its secure connection, so it will send out
what's known as a "heartbeat," a small packet of data that asks for a
response.
Due to a programming error in the implementation of OpenSSL,
the researchers found that it was possible to send a well-disguised packet of
data that looked like one of these heartbeats to trick the computer at the
other end of a connection into sending over data stored in its memory.
The flaw was first reported to the team behind OpenSSL by
Google Security researcher Neel Mehta, and independently found by security firm
Codenomicon.
According to the researchers who discovered the flaw, the code has been in
OpenSSL for approximately two years, and utilizing it doesn't leave a trace.
How bad is that?
It's really bad. Web servers can keep a lot of
information in their active memory, including user names, passwords, and even
the content that user have uploaded to a service. According to Vox.com's Timothy Lee, even credit card numbers could be
pulled out of the data sitting in memory on the servers that power some
services.
But worse even than that, the flaw has made it possible for
hackers to steal encryption keys, the codes used to turn gibberish encrypted
data into readable information.
With encryption keys, hackers can intercept encrypted data
moving to and from a site's servers and read it without establishing a secure
connection. This means that unless the companies running vulnerable servers
change their keys, even future traffic will be susceptible.
Am I affected?
Probably, though again, this isn't simply an issue on your
computer or phone itself - it's in the software that powers the services you
use. Security firm Codenomicon reports:
You are likely to be affected either directly or indirectly.
OpenSSL is the most popular open source cryptographic library and TLS
(transport layer security) implementation used to encrypt traffic on the
Internet. Your popular social site, your company's site, commercial site, hobby
site, sites you install software from or even sites run by your government
might be using vulnerable OpenSSL.
According to a recent Netcraft web server survey that looked at nearly
959,000,000 web sites, 66% of sites are powered by technology built around SSL,
and that doesn't include email services, chat services, and a wide number of
apps available on every platform.
So what can I do to protect myself?
Since the vulnerability has been in OpenSSL for
approximately two years and utilizing it leaves no trace, assume that your
accounts may be compromised. You should change passwords immediately,
especially for services where privacy or security are major concerns.
Meanwhile, the researchers who discovered the flaw let the
developers behind OpenSSL know several days before announcing the
vulnerability, so it was fixed before word got out yesterday. Most major
service providers should already be updating their sites, so the bug will be
less prevalent over coming weeks.
Sources...:- Businessinsider & HeartBleed.com
.png)
