Many of you may have heard about the recent “Heartbleed Virus” and quite fairly, you may be extremely scared or what we call here in Australia “Goin’ Off Ya Nut”. While it may just sound like someone who’s just broken up with their partner and gone a mad computer hacking frenzy, this is serious business and you need to know what is going on or you could be caught out.
So What Is Heartbleed?
‘Heartbleed’ is a weakness in OpenSSL, the open-source encryption standard used by the majority of sites on the web that need to send and receive data that users of the site want to keep encrypted (secure). It is most commonly used in emails, e-commerce transactions and IM programs.
It encrypts data that is sent and received. What this means is that anyone who intercepts the data along the way will see a whole bunch gibberish and will (unless they have a degree in reverse computer engineering) not have any chance at understanding what is being transmitted.
Every now and then, a computer may want to check that there is still another computer connected to it’s SSL connection, so it will send out what’s known as a “heartbeat,” that is, a small packet of data that asks for a response should the computer still be connected. Due to a coding error that was built into OpenSSL, researchers managed to send a data packet disguised as one of these ‘heartbeats’ which was able to request certain data instead of a standard heartbeat response.
The vulnerability was first reported to the team behind OpenSSL by Google Security researcher Neel Mehta, and independently found by security firm Codenomicon. According to the researchers who discovered the flaw, the code has been in OpenSSL for approximately two years, and utilising it doesn’t leave a trace.
Could I Be At Risk?
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.
What’s the Big Deal?
On a scale of 1 – 10 on the “How Bad Could It Possibly Be Scale”……. We’re at about 4378. This is beyond bad. Servers store a lot of stuff in their active memory, things such as :
- User Uploaded Files &
- According toVox.com’s Timothy Lee, even credit card numbers can be found on certain servers.
But to add further fuel to the fire, the error has made it possible for hackers to steal encryption keys, the codes used to turn gibberish encrypted data into readable information. With encryption keys, hackers can intercept encrypted data moving to and from a site’s servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.
So What Can I Do Now To Protect Myself?
Just when all seemed lost, we’re here with some solutions for you. Put the tissues away, stop crying and start fixing this issue.
The issue has been around for the past two years. So don’t bother thinking that you may not have been affected. Pretend you were. Do the following to ensure your safety :
- Change ALL your passwords
- Backup ALL your private data
- Make sure you have contacted your service provider to find out the scale of the damage on their end
Thankfully, the creators of OpenSSL were told about the issue a week before any public announcements were made. This means that the issue was fixed and deployed before we even found out about it, however due to the long standing nature of the issue, we were informed so we could perform damage control.