If you’ve so much as scrolled through your Facebook news feed or tuned into a newscast the past few days you’ve likely heard the hoopla about the Heartbleed bug.
The potentially lethal bomb was dropped Monday, April 7, when it was announced that a group of engineers from Codenomicon discovered a serious vulnerability affecting a widely-used encryption protocol known as OpenSSL. It has since been described as “the most dangerous security flaw on the web,” and “the ultimate web nightmare.”
But is it really as bad as it sounds?
Put simply, the answer is yes! At least according to Bruce Schneier, cryptographer and computer security and privacy expert. He called Heartbleed potentially “catastrophic,” in an April 10 blog post. “On a scale of 1 to 10, this is an 11,” he wrote.
A hazard this huge is bound to leave you with a handful of questions. That’s why we enlisted a group of information security experts to help explain the situation in Layman’s terms and offer some advice on how you can help mitigate your risk.
What exactly is the Heartbleed bug?
Type this question into any search engine and you’ll find scores of detailed descriptions dripping with complex terminology. But unless you’re an IT pro, the acronyms and technical jargon will likely make your head spin.
So we made it a bit easier to comprehend with the help of encryption expert Mark Bower of Voltage Security. He compares Heartbleed to finding a faulty car part used in nearly every make and model. The only difference is you can’t recall the Internet and all the data you put out on it.
The bug was the result of a programming error within OpenSSL back in December 2011, explains James Jones, CIO of Saife, Inc. This means the flaw has gone undetected for more than two years. Anyone who noticed the error during that time had the ability to steal small snapshots confidential data—everything from usernames and passwords to credit card info and social security numbers are vulnerable.
Why is the Heartbleed bug so bad?
So why is news of the Heartbleed bug wreaking havoc across cyberspace? Because, unlike most cyberthreats, the bug isn’t restricted to a single website or company. In fact, it affects every website running OpenSSL version 1.0.1, which is roughly two-thirds of the Internet since 2012, according to Kellep Charles, IT security analyst at NASA.
"If deep testing isn’t being done by the good guys ... you can be sure the bad guys will find the faults first."
The vulnerability likely affected a handful of websites you use every day—Facebook, Google and Yahoo, to name a few. Any personal information disclosed on these sites may have been silently exposed and manipulated over the past two years.
What’s worse is that companies have no way of confirming whether or not their users were affected by the vulnerability, because exploitation of the bug leaves no trace of malicious activity, Charles says.
Bower says people assume certain technologies are safe just because everyone uses them, but that’s not always the case. “If deep testing isn’t being done by the good guys to make sure those parts are safe, then you can be sure the bad guys will find the faults first,” he explains.
What should you do in response to the Heartbleed bug?
The good news is that a security patch was released to repair the flaw shortly after the Heartbleed bug was announced on Monday. This correction prohibits the continuation of the vulnerability, but unfortunately there is no way to undo any damage that’s already been done.
For the most part, the onus is on IT personnel to secure their systems, revoke certificates and update login data. However, our team of experts helped us identify a few steps you can take to help avoid further risk.
1. Determine whether the sites you visit frequently have been affected
Charles advises you to retrace your steps and identify the websites you entrust with personal information. Several resources have been created (like this one) to inform you whether or not a site is vulnerable to Heartbleed. You can also download this Chrome extension called Chromebleed that warns you if a site you’re visiting has been impacted by the bug.
2. Change your passwords when directed
Once you’ve confirmed that a corrupted website has been patched and is secure, changing your password is encouraged. Our experts recommend creating a unique password for each site you visit regularly. Installing a password manager—such as Password Safe or LastPass—can help you keep track of your new passwords.
3. Be aware of potential phishing scams
Charles says to be on the lookout for suspicious messages stemming from the Heartbleed bug. If cybercriminals acquired your personal information, they may use it to con you into installing malicious software on your computer. Be mindful of the warning signs of phishing scams.
4. Keep a close eye on financial statements
Personal banking credentials and credit card information were among the data at risk of being intercepted, which means there is a high chance of fraudulent activities, Charles warns. It’s important to monitor your accounts and report any suspicious activity in the upcoming days.
Don't take the chance …
There’s no surefire way to predict the severity of the implications of the Heartbleed bug. It’s possible the engineers from Codenomicon spotted the bug before any hackers detected it. The next few weeks are sure to bring more answers.
But after hearing the warnings from information security experts, it’s clear that the potential consequences are perilous. Charles advises users to assume their information was compromised if they have used one of the affected sites.
Taking the necessary precautions to protect yourself against any detrimental effects of the Heartbleed bug is worthwhile. After all, it’s better to be safe than sorry!
Visit Heartbleed.com to find answers to more of your questions regarding the bug.
Also, check out our other article, "Privacy Expectations - The New Paradigm".