Investigating the Threat of the “Heartbleed” Bug

by Jeff Wiener on April 15, 2014

The online world was staggered last week when security researchers discovered a critical vulnerability in foundational security technology in the Internet’s core infrastructure. While there has been no lack of press about this new bug, ghoulishly dubbed “Heartbleed,” in a world where bugs, exploits, vulnerabilities, and hacks seem to be part of our daily life I’ve noted an amazingly casual response from the general public, prompting me to investigate this matter further to find out such how worried we need to be.

The flaw was found in an open source application of the Secure Sockets Layer (SSL) protocol, which is essentially “the most basic means of encrypting information on the Web.” SSL mitigates the risk of someone eavesdropping on your online activities, and OpenSSL, where this Heartbleed bug was discovered, is an open-source implementation of that SSL software, and sad to say, one that is widely employed across the Web.

Now if that still didn’t make any sense let me say this, while it may seem strange for companies, particularly huge multi-nationals, to use free open-source (publicly available and customizable) software for establishing a foundation for security and privacy on the Internet, that’s exactly what’s happened, and hackers have found a way to exploit an inherent flaw in it, meaning users’ sensitive personal information — including usernames, passwords, and credit card information — is now at a greater risk for being intercepted. So is this more serious than your average security flaw? You better believe it is.

In an effort to not overstate things, the Heartbleed vulnerability–so named because it exploits an extension of the SSL protocol called ‘heartbeat,’ allowing hackers to bleed information from data servers–truly is one of the most serious threats to online security we’ve faced in the age of the Internet. If estimates are to be believed, almost a half million websites could be affected, and chances are that means at least some of your information somewhere on the Web is affected as well.

Now not only doest this vulnerability allow hackers to access the memory of data servers (the places where all our private information is stored), it allows hackers to leach so much critical information that the possibility exists for hackers to establish their own mirrored copy of a web site (one that looks very authentic), which in turn could yield more of our personal data.

So what can we do about it? The bottom line of online security, even in this instance, remains exactly the same: change passwords and online information (usernames etc…). But the Heartbleed bug complicates things in that it’s so widespread, meaning that if a particular website hasn’t fixed the vulnerability, changing your information won’t mean anything.

The first step, therefore, in combating the Heartbleed bug is find our which sites are vulnerable and which sites are safe. Notable tech website CNET offers two choices for testing tools to determine a site’s security: LastPass, a company that makes password management software, and Qualys, a security firm. CNET notes that while these tools offer some helpful preliminary information, don’t solely depend on them.

Now that said, most banks and financial institutions on the Web don’t employ SSL protocols, but instead rely on their own proprietary security software (which one would think everyone should do), meaning most likely your money is safe. But as I always say, educate yourself, determine your exposure to this threat, and take the necessary steps to protect yourself. Otherwise, don’t be surprised when Heartbleed comes calling.

{ 1 trackback }’s Top 6 Posts for April 2014 —
May 2, 2014 at 5:39 am

Comments on this entry are closed.

Previous post:

Next post: