What is the Heartbleed Bug? And How Do I Protect Myself?
April 10, 2014
Phoenix TS Intern
What is the Heartbleed Bug?
The Heartbleed bug is an attack that is compromising sensitive information across the internet, including personal details and messages, financial details, user credentials, and more. The bug (Officially CVE-2014-0160) is a vulnerability in the OpenSSL Library, which provides encryption for roughly two-thirds of the websites on the internet.
The bug exists in the heartbeat protocol. The heartbeat protocol is normally used to maintain server connections and firewalls; the security layer sends a heartbeat request and OpenSSL replies with up to 64kB of random memory content. The contents may contain any information such as message contents, usernames, passwords, private server keys, etc. So the bug operates by sending heartbeat requests in order to gain sensitive server and user information. The bug can send an unlimited number of requests and receive 64kB of memory each time.
What’s the damage?
The Heartbleed Bug has been active since March 14th. However, the bug was not discovered until April 7th. It attacked a library that provides for almost 70% of the internet, which is 600 million web sites. Security experts from Google Security and Codenomicon discovered, analyzed, and reported the bug, but still cannot be sure of the full impact. The bug is targeting servers, clients, user applications, network devices, etc. It can operate remotely without any user interaction or authentication and leaves no trace of access. Because there is no way to know for sure, experts are considering all potentially accessed servers insecure – including all 600 million websites.
What’s being done to stop it?
OpenSSL is releasing patches for the most recent software version, so all server administrators are urged to update their software to the most recent version and apply the patch. Administrators like Amazon Web Services are being really proactive about applying the patch to all of their servers. After the patch is applied, websites on that particular server will recreate their site certificates.
I’m an end user; what should I do?
Change your passwords – all of them. BUT wait until the servers have been patched and new web site certificates have been issued. If you change your password before the server is secured, the bug may be able to access your new password. Also, apply two-step verification whenever possible, such as with Yahoo! Mail.
To get an idea of where to start, the following sites have been identified as high-risk for vulnerability to the Heartbleed bug:
A Few Helpful Tools
For an extensive FAQ, click here: http://heartbleed.com/
To see the ever-growing list of websites that have been identified as vulnerable, click here: https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt
To search a particular site, try this Heartbleed Test: http://filippo.io/Heartbleed/
We would like to say thank you to all of the security experts and ethical hackers that have been working to repair the damage of the Heartbleed Bug – this is just one more reason why we need more certified ethical hackers!