BY: NATHAN COLEMAN
This month, perhaps one of the largest security threats in the history of the Internet was discovered.
This threat has been named the Heartbleed bug, since it was caused by a flaw in something called the Heartbeat extension of the Internet security software OpenSSL. Approximately 17 percent of secure Internet servers were vulnerable to it when Heartbleed was initially discovered and made public knowledge.
Heartbleed was discovered as a programming flaw in a version of OpenSSL that allowed hackers to steal arbitrary memory from a web server. Hackers could read data stored on web servers that was intended to be secure, such as passwords, credit card numbers and encryption keys. This effectively turned a large amount of secure servers into open books. Heartbleed’s impact and severity cannot be understated.
Some of the major services affected were Yahoo, Gmail, Dropbox, Wikipedia, USAA, Netflix and possibly Facebook. Fortunately Amazon, Ebay, Paypal and the major banks were not affected.
At this point, most companies affected should have upgraded to a newer version of OpenSSL that has this bug fixed. However, the damage may already be done.
The details are rather technical, but in short OpenSSL (Secure Socket Layer) is a program for providing secure channels for online communication. Whenever you see HTTPS in the address bar of the browser, it is using SSL to encrypt the data sent between you and the website. OpenSSL is a software program in widespread use that implements this security standard for web servers – computers dedicated to hosting a website.
The best way to protect your information now is to change your passwords on sites that might have been vulnerable to the bug. This is serious – change your passwords. It’s always a good idea to change passwords periodically, and right now there’s a serious chance that many of your passwords have been compromised.
While changing your passwords should be sufficient protection at this point, the implications of Heartbleed reach much further. For instance, two inside sources claimed that the NSA discovered this bug a while ago, but chose to exploit it instead of making it public. The NSA denied this, but it hints at some of the possible ramifications of such a widespread security flaw.
Based on security audits done by researchers, it has been reported that some attackers may have exploited this flaw for at least five months before its public discovery. The immense scope of this bug makes it likely that it will take months of sorting out to get a clear picture of its consequences.
This situation reminds us to keep on our toes when it comes to online security. While we cannot prevent every security risk, developing good security habits is a worthwhile pursuit. We can do this by choosing strong passwords (and changing them fairly often), sticking to reputable sites like Amazon for online shopping, and keeping an eye out for suspicious usage of our credit cards or online accounts.
The amount of personal and financial information many of us store online is staggering, and this event serves as a reminder that we can’t take security for granted.
The take-away from this article is this: make sure to change your passwords as soon as you can, even though it’s admittedly a hassle. It’s easier to change your passwords than to explain to your bank that it wasn’t actually you who bought that nice beachfront house in Fiji with your credit card.