April 15, 2014

Are you 'Heartbleeding'?

Are you afraid of the internet security bug CVE-2014-0160, commonly known as “Heartbleed”?. The bug was discovered on 7 April 2014, by Google researcher Neel Mehta and security firm Codenomicon, who were working independently. It affects OpenSSL which is an open-source software package for the Secure Sockets Layer (SSL) protocol. SSL is meant to prevent someone from eavesdropping on you while you are browsing the Internet by encrypting your data. This bug puts many users’ personal information on a multitude of websites at risk.

The Heartbleed bug is a very serious online security breach, since internet browsing and social networking is vastly popular around the globe. This breach allows hackers to access bits of your personal information without leaving a trace. Unfortunately, there is no way for you to discover if your information has been stolen or not. Websites that handle e-commerce or personal information, including passwords, usernames, and credit card information are more vulnerable to heartbleed. In case you thought that it couldn’t get any worse, this bug also allows attackers to steal a server’s digital keys, allowing them to get access to a company’s internal documents.

You’re probably wondering how this bug works. The Heartbleed bug allows 64 kilobytes (kB) of server memory to be accessed by any attackers. It doesn’t seem like a major problem, but when attackers perform this task repeatedly, they can secure quite a bit of information. It allows them to get not just the usernames and passwords, but also all the cookie data that Web servers use to save log-in information and to identify users. According to the Electronic Frontier Foundation, by repetitively attacking, it could allow attackers to retrieve sensitive information. This information can allow someone to run a fake version of a website and use it to steal all the information like credit card numbers and private messages.

Although many websites can be affected by the bug, there are sites that does not use OpenSSL, or uses the earlier version of the software. The versions of OpenSSL that are affected are 1.0.1 through 1.0.1f. Some tech giants that support Perfect Forward Secrecy (PFS), like Facebook and Google, can prevent this bug from attacking. PFS is designed to prevent attackers from decrypting an encrypted key they retrieve from the bug by generating a new key periodically. If an attacker did get an encryption key out of a server that runs PFS, they will not have enough time to decrypt the key before the new key is generated. This does not solve the problem, but it does mitigate it.

If you are worried about your personal information getting stolen, you can check which websites are vulnerable to the bug by entering the link to testing sites that have created by developers and companies. LastPass, a password management software developer, has created a nice Heartbleed checker. If the websites were recently patched, the checker would give you a green flag. But you should still proceed with caution, and obviously stop using the red flagged sites until it’s patched. An article written by Mashable included a list of compromised sites, it gives you a general idea of which websites were/are affected, and if you need to change your passwords. Either way, it’s important to change your passwords in case, and to avoid using the same password on multiple sites.

Heartbleed is a serious bug and there might be other security flaws lurking around the Web waiting to hunt you down. You should always watch out on what you do online.

Source - Codenomicon