Heartbleed in English

heartbleedThis post is intended for “regular” users of the internet, not IT professionals or site administrators.*

Short Story

There’s currently a HUGE internet security flaw, dubbed “heartbleed“, out there and you’re likely impacted. Don’t login to any site until you know they’re secure (read more below). After the sites are patched, you’ll want to change some passwords – including at some big sites like google, yahoo, and facebook.

What is it?

On any website where you have a user-specific account that you “log into” (social media sites like facebook, banks, shopping sites, etc.), the traffic between your computer and that website is secured by something called SSL. If the website name in the address bar at the top of your browser starts with “https:” instead of just “http:” then the traffic is being sent via SSL. Data protected with SSL looks totally scrambled and is undecipherable to anyone but you and the intended website.

In order for a website to do SSL, their servers (computers) need to know how to encrypt/decrypt data and do a bunch of complex mathematical algorithms. Rather than every company trying to write their own software for that, they use standard SSL software packages.

One of the most commonly used SSL software packages is called OpenSSL. It is used by 2/3 of the websites on the internet (and also by email systems, chat services, etc.).

Just like with any other software, new versions of OpenSSL are released over time. Some companies decide to download the latest version and install it to their servers and some do not.

On March 14, 2012, a version of OpenSSL (version 1.0.1) was released that had a bug in it. Technically the bug was in a portion of the software called the “heartbeat” (which is where the name for the “heartbleed” bug comes from). The bug was still there in subsequent versions of OpenSSL (versions 1.0.1a – 1.0.1f). This bug was just recently discovered by internet security professionals (over two years after it was introduced). The bug has been fixed in the latest version (1.0.1g).

If a website has one of these flawed versions of OpenSSL, a bad guy can pretty easily read all the data out of the memory of that server. This includes usernames and passwords for people logged in to the website. The data could also include credit card numbers and other sensitive data, but really, if someone gets your username and password, they can login as you and see or edit everything on the service that you can see or edit.

Another problem with this vulnerability is that when such a security breach happens, it leaves no trace in the security logs of the server, so the company has no idea if someone just stole all their data.

Even though this vulnerability was out “in the wild” for over 2 years, it may be that no “bad guys” knew about it until it was publicly disclosed just a couple days ago. However, now that everyone knows about it, it’s a free-for-all. All the bad guys, and organizations like the NSA, are likely filling huge disc drives with tons of user data from the still-vulnerable websites.

Many websites were never vulnerable – they either don’t use OpenSSL, or they don’t use the “heartbeat” portion, or they never upgraded to one of the flawed versions. But many sites did use one of the flawed versions at one point. If a website used one of the flawed versions, even if it recently upgraded to the fixed version, there’s no way to know whether some bad guy did or didn’t steal the server’s data when it was using the flawed version.

What should I do?

  1. Don’t log into any website until you know it’s patched.
  2. Check to see if a website you want to log into is vulnerable, is patched, or was never vulnerable in the first place (that may be hard to tell).
    • They (your bank, etc.) may have sent you a notice about this with a recommendation of what to do.
    • Use this tool to check the status of a specific site. Type in the URL (e.g. “yahoo.com” – without quotes) into the text box and it will give you some information based on what it can detect from the website’s server.
  3. Don’t use any site that’s still vulnerable. Keep checking, it could take a while for all sites to get patched.
  4. If a website is now patched, but may have been vulnerable in the past, you should login to that site and change your password. Otherwise a bad guy might have your data (including your username and password) saved on a disc somewhere, just waiting to get around to using it.
  5. Change your password at all sites where you use the same password for multiple sites. It sucks remembering tons of passwords; so many people use the same password for many sites. The problem is, if a bad guy got your password to “stupidsite.com” and you use the same password there that you use at your banking website, they could log into your bank account, too. So even if your banking site was never vulnerable, it would still be a good idea to change that password in a case like this.
  6. As always, keep monitoring your credit, etc. for suspicious activity.

 

* In this article, I’m a bit loose with terminology and fuzzy with details to make things easier for the lay person to understand. If you’re a website administrator, there’s plenty of information on heartbleed. Please do your own research on heartbleed and test/patch your servers.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s