1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Heartbleed bug: What you need to know

Winston Sih | posted Thursday, Apr 10th, 2014

heartbleed-featuredSecurity researchers have uncovered a fatal flaw in a key safety feature for surfing the Web — the one that keeps your email, banking, shopping, passwords and communications private.

Here’s what you need to know.

What is it?

It’s called the Heartbleed bug, and it is essentially an information leak.

It starts with a hole in the software that the vast majority of websites on the Internet use to turn your personal information into strings of random numbers and letters. If you see a padlock image in the address bar, there’s a good chance that site is using the encryption software that was impacted by the Heartbleed bug.

What sites have been affected?

Click here to refer to a comprehensive list of patched sites from CNET.

Users can easily check if a site is secure by going to this website: http://filippo.io/Heartbleed/

What does it do?

Heartbleed allows outsiders to peek into the personal information that was supposed to be protected from snoopers.

The bug allows potential hackers to take advantage of a feature that computers use to see if they’re still online, known as a “heartbeat extension.” But a malicious heartbeat signal could force a computer to divulge secret information stored in its memory, including keys to an encryption tool that turns your credit card information and passwords into indecipherable code.

Once a hacker has the keys to the encryption software, it’s game over — usernames, passwords, bank information and all the other data that you thought were safe are potentially up for grabs. Making matters worse, the Heartbleed bug leaves no traces — you may never know when or if you’ve been hacked.

“You could watch traffic go back and forth,” said Wayne Jackson III, CEO of open source software company Sonatype. “This is a big deal. When you think about the consequences of having visibility into Amazon and Yahoo, that’s pretty scary.”

Who does this affect?

Most major websites are targets, because they rely on this program. A survey conducted by W3Techs show that 81% of sites run on web server programs Apache and Nginx, and both are vulnerable to the Heartbleed bug.

Many popular sites, including Amazon, Yahoo and OKCupid, use those encryption tools. Yahoo, Amazon and OKCupid have updated their websites with a fix for the bug, but many others have not patched their sites yet.

What can I do?

Not much, unfortunately — the websites themselves need to update to a new version of the encryption software to fix the bug. That’s why changing all your passwords right away isn’t a good idea. Websites are all racing to fix the issue, and if you act too quickly, you might change your password on a site that is still vulnerable.

Italian cryptographer Filippo Valsorda launched the “Heartbleed Test,” which purports to tell you if websites are still compromised.

With files from CNN

Online resources:

Comments

  • Douglas Dookie Spence says:

    As Winston points out there are a few great sites out there to help you keep track of your user/passwords. I personally like to be able to manage them myself with a spreadsheet where I list the url of the site, my username and password. The only exclusions being for banking being most often where the username is your bank card so the document is no good without my wallet in your hand as well. This spreadsheet I back up on a thumb drive, my cloud, my external drive and on good old paper. Most important, with critical sites, don’t use the same old password that you use for non critical sites. It’s ok to use “guitargawd” as a password for all your newsgroups etc, but don’t use it for your banking as well, That’s just putting a target on the site for a hacker. AND don’t ask windows to “remember” the password for any site or allow auto fill to take care of these for you. Good job Winston, keep us posted as the fix rolls out so we can go out and change our critical passwords to the sites that could be infected. Although I noticed today there was already an off schedul Windows update so I suspect that they are already working on a blocker for it as well.

  • Douglas Dookie Spence says:

    Thanks for the info Winston. Yet another hacker out there with too much time on their hands yet it’s a good reminder. With bugs like this not only do service providers (i.e. banks, credit cards, employers etc) have to partake in their own due dillagence first we as users must always keep our passwords and user names stored safely elsewhere for all sites that we use. I personally have a spread sheet with all of the url’s with my username and passwords stored on my computer, my external drive, a thumb drive, and a printed copy and a copy on the cloud should ever I need to access it. Of course banking info is most often user name the card number so that is not on the spreadsheet. Most important, NEVER accept the prompt to allow your computer to automatically remember the username/pass for any site you use even if it something as silly as a local recipe sharing group. It’s just a door into your machine. Never assume you won’t get hit by one of these bugs because you don’t have the financial resources to be worth it. With the right info someone can take your identity and create new credit and spoil your good name. Take a few minutes to take precautions and simply maintain it with Winston’s suggestion or mine or just a good old pen and paper if you can still find either or both anymore. I’m sure there’s an app for that as to where to find those things.

Leave a Comment Below

Sign in to comment.

All fields are required.

Want to embed media into your comment? Just paste in a URL in a separate paragraph to the page where you would normally view the media (like on YouTube) and it will automatically be embedded into your comment.