What is the ‘Heartbleed’ bug, how it works and why it’s a huge security risk
A dangerous software bug called "Heartbleed" is raising great concerns, as it can expose users' personal info including bank details, social security numbers, and passwords.
This bug threatens to compromise online communication security, posing a big risk to tech companies and users alike.
What is 'Heartbleed'?
The so-called "Heartbleed" bug made its way by mistake to openSSL, which is a vital piece of software that secures thousands of online sites worldwide. More specifically, the server software called Apache, used by as much as two-thirds of the world's websites, has this openSSL software built-in. The software enables an encrypted data channel between a machine and the remote server, making the data decipherable only to authorized computers that have the necessary keys for decrypting the information.
OpenSSL is designed to make it secure to move financial information over the Internet and it has become an essential part of online commerce. During a software upgrade back in 2012, however, a piece of bad code was accidentally added to the software, inadvertently allowing unauthorized machines to read unencrypted information from the memory of the remote server. This can compromise virtually any type of information, including the encryption keys necessary for decoding the data stream, e-mails, phone numbers, financial data, and more.
Users' personal information is at stake, but they can't do anything much to protect themselves at this point. Exploitable websites need to upgrade their software and patch this vulnerability, but the "Heartbleed" bug is expanding in the meantime. The risks go beyond Internet web servers, as hackers could use the bug to crack security firewalls, email systems, and potentially even mobile phones. Developers released various patches to fix affected web servers, especially for bigwig companies such as Amazon, Yahoo, and Google, but pieces of vulnerable openSSL code are still present in ordinary PCs, email systems, phones, firewalls, and other places.
Julia Horwitz from the Electronic Privacy Information Center explained to Reuters how the whole process works. When computers are protected by an encrypted connection, as in the case of transferring information to one's bank or secure email, some layers of code aim to ensure the data is safe and not vulnerable to hacking. "Heartbleed" breaks that code and makes the protective layers penetrable, allowing hackers to collect sensitive information.
"The encryption software that has the bug is the most popular form of web encryption on the internet. So something like more than two-thirds of the internet that is encrypted is encrypted using openSSL TLS which is what encryption software is," Horwitz told Reuters.
"It doesn't leave a trace, so it's hard to track and see when it's been used, and where it's been," Horwitz added. "So, as far as we can tell it's been in operation for about two years maybe a little more than two years which means that potentially any of the services that use openSSL in order to encrypt have been exposed to this bug and therefore the users of those services."
Protection against 'Heartbleed'
Heavyweight companies such as Facebook, Yahoo, and Google have told Reuters that they have taken the necessary steps to reduce the negative impact on users. Google said that its users don't have to change their passwords. Amazon, meanwhile, said that Amazon.com has not been affected, however some of its cloud services that support apps such as Pinterest and Netflix have been vulnerable.
Companies, as well as government agencies, are currently working to determine which products are vulnerable to this bug in order to set priorities for fixing them based on the risk they pose. Researchers have already noticed sophisticated hacking groups scanning the Internet this week in a bid to find vulnerable servers. The issue is of major concern and poses huge threats to online security, as it involves compromising a great amount of data of the most sensitive kind.
Because Heartbleed doesn't leave any trace, it's impossible to be sure whether your passwords and personal data have been mined and leaked out. Researchers believe the only one thing to do at this point is to change each and every password you use online, or at least every password that allows you to log onto shopping, financial, or social networking sites where you share sensitive info. The sites still have to upgrade their own software with the necessary patches, so researchers advise waiting a couple of days to change the passwords.