The Heartbleed Bug – a security threat you need to act on

Heartbleed coding error may have been around for three years, affecting two-thirds of computer servers. Photograph: Pawel Kopczynski/Reuters
The Heartbleed coding error may have been around for three years, affecting two-thirds of computer servers. Photograph: Pawel Kopczynski/Reuters

What is the Heartbleed bug?

The Heartbleed Bug is a serious weakness in the popular OpenSSL cryptographic software library which affects the majority of the Internet servers in the world. In simple terms, this weakness allows information thought to be protected by a Web server’s encryption to be stolen by hackers. You can learn more about the Heartbleed bug from Heartbleed.com and the other Web sites linked below.

The good news: You can protect yourself by taking action (read on).

The bad news:

Fixing Heartbleed: There is a 2-level protection strategy. You can protect yourself by taking action.

  • Fixed OpenSSL has been released. To plug the vulnerability, “Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.” (Heartbleed.com)
  • If you are a user, you MUST update your password on each website AFTER the fix has been installed, because there is no way of knowing whether your previous password has been hacked before the fix was installed.

How to protect yourself:

  1. Read the CNet article: Heartbleed Bug – what you need to know (FAQ). This article includes information on
    1. How the bug was created by a PhD student named Robin Seggelmann while working on the OpenSSL project New Year’s Eve, 2011. Seggelmann told the Guardian, “I am responsible for the error, because I wrote the code and missed the necessary validation by an oversight.”
    2. Should you change your passwords: Yes, but wait for confirmation from the Website operator that the bug has been patched.
    3. Can I check if a site has been fixed?  Two recommended sites for checking are  LastPass, a company that makes password management software, and Qualys, a security firm. You can also check CNet’s list of the top 100 Web sites for their Heartbleed status at Heartbleed bug: Check which sites have been patched
    4. Read the CNet article How to Protect Yourself From the Heartbleed bug, and 
    5. As soon as you learn that a vulnerable web site has been patched, change your password on that site to protect yourself.

Web security is serious business. Do your part to stop this threat.

Author: V. G. Oltmann

V. G. Oltmann, MBA, CPA, CGA, CFI - Professor, Vancouver Island University 2002 - 2013 - Board Member, Association of Certified Forensic Investigators of Canada (ACFI): 2010-2013 - LinkedIn Profile: http://ca.linkedin.com/in/vgoltmann/

Leave a Reply

Your email address will not be published. Required fields are marked *