What it is…
Last week, a nasty bug, Heartbleed, was found in OpenSSL, version 1.0.1 (released April 19, 2012). OpenSSL, allows for the encrypted transference of data (usernames, passwords, cookies, etc.) from users to website servers. There are several versions of OpenSSL, but the one I just mentioned is very popular. The actual percent of servers affected varies depending upon who you happen to read or talk to, so let’s just agree that it was a lot of servers, and certainly enough to make you concerned about the current level of security of your computer and/or local network.
Here is a very good explanation from Engadget, about how Heartbleed actually works:
“Heartbleed exploits a built-in feature of OpenSSL called heartbeat. When your computer accesses a website, the website will respond back to let your computer know that it is active and listening for your requests: this is the heartbeat. This call and response is done by exchanging data. Normally when your computer makes a request, the heartbeat will only send back the amount of data your computer sent. However, this is not the case for servers currently affected by the bug. The hacker is able to make a request to the server and request data from the servers memory beyond the total data of the initial request, up to 65,536 bytes.
The data that lives beyond this request “may contain data left behind from other parts of OpenSSL” according to CloudFlare. What’s stored in that extra memory space is completely dependent on the platform. As more computers access the server, the memory at the top is recycled. This means that previous requests may still reside in the memory block the hacker requests back from the server. Just what might be in those bits of data? Login credentials, cookies and other data that may be exploitable by hackers.”
How dangerous is it…
What is current level of risk? Again form Engadget:
“…even if hackers knew about the (Heartbleed) problem (something that hasn’t been confirmed –- aside from by our friends at the NSA, apparently), the chances of them getting your password, and being able to match up that data to your username are pretty slim. Some people claim that the encryption certificates for servers (a technology that allows us to confirm that a website is in fact what it says it is) could have been stolen, but the company CloudFlare has said it’s very difficult to do. It published a challenge to whoever could steal this key, and it appears that someone did, during a server reboot. Regardless of the probability, companies are changing encryption keys so new data is not vulnerable if somebody was able to obtain the old keys.”
Even though Hearbleed isn’t quite a scary as many of the media pundits first thought, because of the large number of sources (servers using OpenSSL v. 1.0.1), the Titanic sized gaping hole in OpenSSL security created by the bug that allowed a potential total access to zillions of bits of personal information readily available to “bad guys”, and the length of time the hole remained open (April 19th, 2012), it seems only prudent that users (you and me) take some preventative measures to protect ourselves against any exploits that may have materialized from Heartbleed.
What you should do…
The best way to protect yourself is simply to change your passwords on your internet accounts. Ouch! If you are like me, you could have a lot of internet accounts. Let the amount of concern you have for the risk of attack from a Hearbleed exploit be your guide, as to how many passwords you want to change. Here is what I did:
- I immediately changed the passwords for all my major accounts – one’s that I felt an exploit would do the most damage, i.e., online banking, PayPal, Google, Apple ID, Amazon, etc.
- Because I have a lot of online accounts, I use a password manager: LastPass. I have used LastPass for over a year now, and I have found LastPass invaluable. One of multitude of features of LastPass is a security check it will run on all the sites you have listed with passwords. To run the check, go to “Tools” from the drop down menu, and then go to “Security Check”. The security check does many things, and germane to our discussion today, it checks for sites that might be affected by Hearbleed. When the check it done, LastPass will provide a list of sites needing password changes. Pretty cool!!!
- Finally, I installed “Chromebleed Checker” from the Chrome Store, and as no surprise, the program runs on a Chrome web browser. Should you land on site that does not have a safe version of OpenSSL, Chromebleed will let you know.