What is the Heartbleed bug?
The Heartbleed Bug is a serious weakness in the popular OpenSSL cryptographic software library which affects the majority of the Internet servers in the world. In simple terms, this weakness allows information thought to be protected by a Web server’s encryption to be stolen by hackers. You can learn more about the Heartbleed bug from Heartbleed.com and the other Web sites linked below.
The good news: You can protect yourself by taking action (read on).
The bad news:
- Bruce Schneier, a security expert not much given to hyperbole, [called Heartbleed] a “catastrophic” flaw. “On the scale of one to 10,” he wrote, “this is an 11.”
- This is a serious worldwide threat that “…allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.” (Heartbleed.com)”
- Cnet reported April 9 that the “‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords
- Bloomberg news reported April 11 that The United States National Security Agency has known about the bug for two years. Reading this article would seem to confirm that the Science Fiction world George Orwell described in his 1948 novel 1984 is real, here and now.
Fixing Heartbleed: There is a 2-level protection strategy. You can protect yourself by taking action.
- Fixed OpenSSL has been released. To plug the vulnerability, “Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.” (Heartbleed.com)
- If you are a user, you MUST update your password on each website AFTER the fix has been installed, because there is no way of knowing whether your previous password has been hacked before the fix was installed.
How to protect yourself:
- Read the CNet article: Heartbleed Bug – what you need to know (FAQ). This article includes information on
- How the bug was created by a PhD student named Robin Seggelmann while working on the OpenSSL project New Year’s Eve, 2011. Seggelmann told the Guardian, “I am responsible for the error, because I wrote the code and missed the necessary validation by an oversight.”
- Should you change your passwords: Yes, but wait for confirmation from the Website operator that the bug has been patched.
- Can I check if a site has been fixed? Two recommended sites for checking are LastPass, a company that makes password management software, and Qualys, a security firm. You can also check CNet’s list of the top 100 Web sites for their Heartbleed status at Heartbleed bug: Check which sites have been patched
- Read the CNet article How to Protect Yourself From the Heartbleed bug, and
- As soon as you learn that a vulnerable web site has been patched, change your password on that site to protect yourself.
Web security is serious business. Do your part to stop this threat.
- Web site users – read the articles and be proactive about changing your passwords once each site you use has updated their security settings. Until they have, avoid visiting a site.
- If you’re a influencer of an organization using Web services, read John Naughton’s April 13’s article in The Observer: ‘Heartbleed’ bug can’t be simply blamed on coders: Human error is behind the latest threat to website security but giant corporations need to take their share of the blame.