Heartbleed is a flaw in OpenSSL. OpenSSL is the open-source encryption standard used by the majority of websites that transmit data that users want to keep secure. In short, it provides a secure line when you’re sending an email or chatting on IM, as an example. Encryption works by making the respective data being sent looks like nonsense to anyone, but the intended recipient.
Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, and it will send out what’s known as a heartbeat – a bundle of data that asks for the other computer to respond.
Because of a programming error in OpenSSL, it was found that it was possible to send a well-disguised bundle of data that may look like a heartbeat to trick the computer at the other end into sending data stored in its memory.
The scary part is that the code has been in OpenSSL for about two years, and using it doesn’t leave a trace.
Why is that bad?
Can you think about of all the online payments you’ve made in the past two years? What about sensitive information that was sent such as billing information for you and your clients? Web servers can keep a lot of information in their active memory, including usernames, passwords, and even the content that users have uploaded to a service. Even credit-card numbers could be pulled out of the data sitting in memory on the servers that power some services.
If that wasn’t enough, the flaw has made it possible for hackers to steal encryption keys — the codes used to turn encrypted data into readable information.
With encryption keys, hackers can intercept encrypted data moving to and from a site’s servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.
What can I do to protect myself?
Change your passwords. Since the vulnerability has been in OpenSSL for about two years and using it leaves no trace, assume that your accounts may be compromised. You should change all your online passwords, especially for services where privacy and security are major concerns. However, many sites likely haven’t upgraded to software without the bug, so immediately changing the passwords for those sites might not help. This would be a good time to make a more secure password. Passwords should always have upper and lowercase letters, a number and symbol (where allowed).
Check to see if your favorite sites are vulnerable with the LastPass Heartbleed checker, Heartbleed test or Qualys SSL Labs test. Also check to see which sites have been patched on CNET.
If you check your sites and they still have not been patched, go ahead and change your password, but be prepared to change it again.
Clear all your web browsers’ history (this includes your phone too), cookies and cache, just in case there are old passwords stored in the browser’s remember this password feature.
Finally, keep a watchful eye on your bank and credit card statements. Usually hackers will charge small amounts, anywhere from $1 to $5, to see if your card is active. They may do this a few times, before you’re hit with the bill from someone else’s shopping spree.
This may seem like a lot to do but as we know at the CMP Protective and Investigative Group, clearing your name after identity theft can be even harder. Take these steps now and protect yourself from problems in the future.
Thomas Ruskin 