If you’ve been relatively busy on the internet recently then you’re probably already aware of the situation regarding the Heartbleed bug. Throughout our daily lives we make use of a process that encrypts our data, this is so that people can’t just receive the data whenever they please and get information on people (that is until now). Whether you’re making use of social media applications or simply doing some banking on your phone, this process takes place and it’s something that shouldn’t be taken lightly. Whenever it involves sharing data, it involves the use of OpenSSL. A brand new bug (known as the one and only ‘Heartbleed’) has struck again, as it has shifted the balance of internet trust amongst consumers to the negative side. If we can’t be completely sure our information is safe, how can we still go about using these applications? The bug itself is based off of a fault within a functionality for the OpenSSL library.
The bug was originally found by Neel Mehta, whom is from Google Security. The library we’re talking about is used on an incredibly large basis, as security vendors make efficient use of it to secure the browsing activities of users (whenever you see a site with the https:// in it, and you’re signing in you’re making use of OpenSSL). The Apache web server is the server that powers a large portion of the internet, and this particular server usually implements OpenSSL with its activities. As a matter of fact, you might be using OpenSSL at your business or house right now, as plenty of popular services on the internet make use of it as well (for example Yahoo!). While most sites have protected themselves from the bug, the initial news was a shock and had resulted in the discovery of information leaks all across the web. The leakage of information on the internet is never a good thing, especially when it could pertain to somebodies life financially.
Many people may be wondering why they should be worrying about this particular bug, but there are so many variables as to why you shouldn’t it’s sort of a silly question. There are plenty of write-ups that go through the process from a technical stand point, there is plenty of detail to go through but not everybody can understand the terms and phrases used. As a result, we’re going to go through it in “lamens terms”, so to speak. When the bug is implemented the attacker (whom is making use of this bug) is able to retrieve up to 64kb of memory from the remote system. This means that they could have access to usernames, passwords, even keys or any other information that could lead to something tragic happening should it get into the wrong hands. Sometimes they can even make use of the information they initially get to plan a bigger and better attack on the person.
For example, an attacker may be able to get a hold of keys and passwords that could pertain to another form of security, which they could then go on and infiltrate for themselves. At first glance you see 64kb and you think “well that’s not a lot, so there isn’t really much they could do,” but this is completely wrong. They would be able to connect as many times as they pleased, so if the attacker had the patient (as well as the will power) to really get something done, they could definitely do it. People have been encouraged to change not only their user names, but their passwords as well. When it comes to personal credentials it’s better to be safe rather than sorry, the bug itself seems to be patched right now but that doesn’t mean you weren’t affected. Consumers have been told to act as if they have been breached, just in case, because if you have and it seems like you haven’t the attacker could stay patient before they get to work.
Although there has been a rather tedious debate about this problem, it seems as if this isn’t the first time this has happened. The bug itself has been around for two years, which must be saying something about the teams that find and remove these bugs from the system. Many people are incredibly surprised that the bug is just being found right now, mainly because the OpenSSL code is of the open source descent and has been overlooked by tons (upon tons) of people. This not only speaks volumes pertaining to the security teams that prevent these issues, but also those who have to write the security software as well. If this took two years to find, what other potential bugs could there be in the system that exposes information? It feels like there needs to be a system in place that reviews software, because these types of things really aren’t great for society as a whole. If you can’t trust the security you’re presented with online, you’re not going to be very reliable as a consumer. If you can’t sell your products because they aren’t safe, you can’t maintain a business, it’s almost like a vicious circle.
This isn’t the first bug relating to information being leaked, as well as testing the trust of the internet as a whole (and it probably isn’t going to be the last one we see, either). Many people use the internet and have little worry when it comes to their security online, but hopefully this bug opened their eyes to the bigger picture; there are most definitely things to worry about while surfing the web. There have been reports of attackers whom use this attack getting information from Facebook accounts, as well as other social media outlets like Twitter and MySpace. As if that wasn’t scary enough, other attackers have been reportedly getting their hands on bank information, which could obviously turn somebodies life into shambles rather quickly. One final thing to note would be the fact that a fix wasn’t developed until sometime after the initial find, which just exposed users to a higher risk of having their security breached. I don’t know about you, but I may have to start sleeping with garbage bags over my windows (maybe some aluminum foil if I’m feeling fancy).
How to Protect Yourself
- You should make sure that you’re aware, check to see whether any of your applications (as well as websites) you use on a daily basis have made use of OpenSSL. If they do make use of it, see whether they were vulnerable to the attack or not. Most sites have an update pertaining to the issue, so you should be aware if it has been attacked right away. Another thing you could do is use this site, as it’s rather efficient and quick.
- Make sure that you regenerate any private keys you’ve made use of (this is regarding any sites you may run). If your keys were leaked while your version of OpenSSL wasn’t patched then it could lead to potential problems in the long run, as the attackers still have the ability to monitor the data (meaning they could intercept it if they please) even after the initial attack is done.
- Update your OpenSSL, as if this wasn’t blatantly obvious! If you don’t update your OpenSSL you’re going to leave all of your information exposed to attackers, although this is an automatic process for most places it should be used. Just to make sure you should have a version of 1.0.1g or higher.
- Be sure that you check up on your SSL configurations on your websites and your mail providers. There are plenty of sites available that will allow you to check them quickly and effortlessly, so make use of these to have a smoother experience.
- Be smart about your endeavours online, if there’s anything this whole article taught you it’s that the security issues online are definitely there. Whether it’s simply changing your password evry now and then or going all out on web security, you should have some sort of security routine that’s going to help you avoid these types of situation (in the future, that is).