Categories
Latest
Popular

Heartbleed: What You Need to Know about This Internet Security Threat

Screenshot from http://heartbleed.com/

Screenshot from http://heartbleed.com/

Change your passwords!

This was the apparent directive disseminated by many tech news sites as information about Heartbleed emerged. Heartbleed, a major OpenSSL exploit,  was first reported in April 7 or around the second week of April. It has now become quite a major concern that security experts are advising everyone to change their online account passwords to be safe.

What is Heartbleed? What are its dangers? How do you know you are affected? You are probably asking these along with a number of other questions about this newly discovered Internet security threat. The following series of questions and answers concisely presents everything you need to know.

So what is Heartbleed?

Heartbleed is a major Internet security bug as it affects the very thing that supposedly creates one of the most reliable security protection blankets online: OpenSSL. An overwhelming majority of supposedly secure online traffic is “secured” by OpenSSL. The very existence of Heartbleed paves the way for the stealing of data protected by SSL/TLS encryption.

Heartbleed enables anyone who knows about OpenSSL’s vulnerabilities to read the system memory of those protected by the OpenSSL software. These protected data include usernames and passwords, PIN codes, and bank account and credit card numbers. Heartbleed also enables eavesdropping over  presumably secure communications and information transmissions. In technical terms, what Heartbleed leaks are primary key material, secondary key material, protected content, and collateral.

Heartbleed is officially referred to as CVE-2014-0160, where CVE stands for Common Vulnerabilities and Exposures, the standard for Information Security Vulnerability Names managed by MITRE.

By Χρήστης:Chggr.Chggr at el.wikipedia [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], from Wikimedia Commons

By Χρήστης:Chggr.Chggr at el.wikipedia [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], from Wikimedia Commons

Why is it called Heartbleed? And seriously, it really has its own logo?

The name comes from the nature of the risk. Heartbleed affects the implementation of the Transport Layer Security Protocols (TLS/DTLS) Heartbeat extension (RFC6520). Exploiting this extension leads to memory leak from the server to the client and vice versa.

Regarding the unusually good-looking Heartbleed logo, there is no clear explanation on how or why there was as logo (which has now become quite popular). As what can be insinuated from the investigation made by TechCrunch’s John Biggs, the possible explanation for the development of such a logo (or the apparent “branding” of the security risk) is that someone just wants to capitalize on the publicity created by Heartbleed, or at least ride on the popularity bandwagon.

What is the extent of the risk?

OpenSSL accounts for a great majority of the security software used by active sites worldwide. It is employed by email servers, chat servers, VPNs, network appliances, and various client side software. As such, the likelihood of your online accounts getting affected is very high.

How do you check a site for Heartbleed risk?

The following versions of OpenSSL ARE NOT affected by the bug:

  • OpenSSL 1.0.1g

  • OpenSSL 1.0.0 branch

  • OpenSSL 0.9.8

Only OpenSSL 1.0.1 through 1.0.1f are affected by Heartbleed. But of course, most people are unlikely going to be adept with these details. Thankfully, a page called “Heartbleed Test” was created to test websites for their Heartbleed risk. Entering a URL in the given field and clicking “Go!” will check the URL for CVE-2014-0160 or the Heartbleed bug. It is also possible to test a specific port with the tool. You just have to add a colon and the port number to the URL (example: “www.testsite.com:4433”).

Screenshot from http://filippo.io/Heartbleed/

Screenshot from http://filippo.io/Heartbleed/

What is the best defense against Heartbleed?

The most sensible thing to do is to change your passwords. Even if a site has been tested negative on the online tool mentioned above, it’s possible that the site (your bank’s for example) may have already implemented changes at the time you did the test. Your data may have already been obtained months ago. The Heartbleed bug is said to have been in existence for two years now. Having your passwords changed will be tedious, especially if you have a multitude of them. However, if you want to stay secure, it only makes sense changing.

It’s very unlikely to run out of Internet security risks. That’s why it’s important is to stay updated and to promptly react and institute the solutions necessary to avoid becoming a victim. The threat of Heartbleed can be worse than the risks associated with Windows XP.