We all strive to protect our computers and our precious information from evil hackers and in order to do so, we have to keep up with new threats. This particular threat is hacking popular websites in order to gain users secret information.
In the second week of April 2014, Information Technology security experts reported a security weakness in some of the popular websites – they named it, the Heartbleed bug. The bug works by exploiting these weaknesses to get access to the website users’ passwords. However, experts are still at the early stages of analyzing the extent, mechanisms, implications and ways to counter attacks from this bug. In this article, we will look at the current state of the bug, and the ways to protect your PC from its attacks.
A Background Of The Bug
On 7 April 2014, a Google employee – Neel Mehta and an Internet security firm – Codenomicon – discovered this bug. Although these two entities do not work in collaboration, they noticed this security flaw on the same day.
Neel Mehta went on to offer a $15,000 donation – from the reward money he got for exposing the bug, to the Freedom of the Press Foundation’s initiative to develop ways to protect journalists when they transmitted their findings online.
Google (Mehta’s employer) reiterates that they have a strong resolve to detect and counteract the effects of malicious code, thus explaining their keen interest in the Heartbleed bug. However, why call it a ‘Heartbleed’ bug?
Why Name The Bug Heartbleed?
Originally, the security firm that played part in unearthing the bug – Codenomicon, named the bug CVE-2014-0160 (as a tribute to the exact line code where they discovered the bug). However, one the firm’s employee, Ossi Herrala, offered the term ‘Heartbleed’ for the bug. Though it is a simpler name for a bug, we will see shortly why that employee referred to a ‘bleeding heart’ as a metaphor for the bug.
The affected websites were using an OpenSSL Networking protocol, whose extension, experts call a ‘heartbeat’. They call it a heartbeat because this extension manages interaction between devices even when they are not active (when the devices are not sending packets to each other). Therefore, by calling the bug a ‘Heartbleed’, Herrala implied that the bug was siphoning blood – important data – from the facility that held it temporarily.
After all, the security experts had to communicate the new malice to the public, and the term ‘Heartbleed’ offered a simple picture of what was going on without involving too much technical jargon. Consequently, Codenomicon acquired the Heartbleed.com domain to communicate the details of the bug.
A Technical Look At The Bug
To get a better understanding of the bug, we must first understand the OpenSSL protocol before examining how the bug exploits the protocol’s weaknesses.
OpenSSL
OpenSSLcomes from ‘Open’ – for open source, and SSL – for Secure Sockets Layer (also known as Transport Layer Security (TLS). The SSL mechanism enables websites to transmit information over the Internet securely, by use of encryption. Therefore, SSL reduces the chances of unintended users from working out the details of transmission, even when they manage to get access to that transmission. You might have noticed that some websites have https instead of http on their addresses (for example, PayPal’sbaddress is https://paypal.com). Now, those websites use the SSL standard.
OpenSSL is the open-source version of SSL. The Heartbleed bug exploits the 1.0.1 versions of OpenSSL. To get a sense of the extent and potential vulnerability of systems, you should note that open-source systems, like Linux use the OpenSSL standard. These systems manage a great portion of the facilities connected to the Internet through their Nginx and Apache implementations.
How The Bug Exploits OpenSS
Systems that encrypt their data using the 1.0.1 version of OpenSSL are vulnerable to attacks from malicious code, like the Heartbleed bug. This is because this version does not restrict eavesdropping code from getting access to data that is in the memory of a transmission’s facility. The weakness allows the bug to acquire the encryptions’ keys, and consequently, credentials like user names and their corresponding passwords.
Ways To Protect Your PC
Yahoo is the most affected online service. All its related services –Yahoo Search, Finance, Flickr, Mail and Tumblr – were vulnerable to the Heartbleed bug but now has the vulnerability patched.
Other popular services were also under attack from the bug, for example, Imgur and OKCupid. To avoid losing your data, you should keep away from these sites until the dust has settled, manage your passwords wisely, and keep track of the affected services response to attack. Also, check if your financial accounts have already come under attack.
Keep Away From Vulnerable Websites
Even if the affected websites declare that their services are now safe from intrusion by the Heartbleed bug, keep away from them. Do not log on into your account. The first thing you should do is confirm from other credible third parties like CNET’s Heartbleed Bug’s checklistthat they are safe to visit. You can also google your favourite site like this “yahoo heartbleed” and you will find all the information you need.
Manage Your Passwords
Although, your first response might be to change your passwords on the affected websites, desist from doing so as any activity on your account might be under view of the bug. As with the previous suggestion, keep away from your account, unless you have researched the site and it is safe enough.
When you’re sure that the site is definitely safe enough, change your passwords – preferably using password utilities that suggest stronger passwords or manage them for you. But just remember there are more secrets about information security that go deeper than just changing a password.
Check The Security On Smaller Sites
Larger Internet based services, for example Yahoo, are aware of the threats they face. However, if you use smaller Internet based services to manage sensitive data, contact them directly to know if they are aware of the threat from the bug, and find out what they are doing about it.
Protect Your Online Accounts
There are a few good ways to protect your online accounts from these sorts of attacks in the future. For example you can create strong passwords, be aware of the risks of using public networks, and above all, protect your computer.
If you are not worried about the threat that the bug can do to your Internet based service provider, or if that service has not come under attack, make a point to go over your statements (if it the service is financial-based) to make sure that sure that no unauthorized transactions have taken place.
Ultimately, be very careful when using the Internet
The extent of the bug’s attack may not be fully prevalent now, so take extra care when using Internet. If possible, you should not carry out crucial transactions over the Internet until security experts handle this security vulnerability.