Heartbleed Bug

Posted by & filed under IT Security, Latest.

If some of the headlines from the past week or so are to be believed, all our email accounts and social network sites are easy targets and the information about us they contain are just waiting to be hacked to within an inch of their lives at any time with little anyone can do about it.

But don’t panic just yet. It might not be as bad as you think.

So before you start saying Farewell to Facebook or “ta-ra” to Twitter, here’s a little more information about the Heartbleed bug, what it does, how it works and how you might be able to fight it.

1. What is the Heartbleed Bug?

Basically, the Heartbleed bug allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. It’s official name is CVE-2014-0160 and allows an attack to read information from a web server even when it’s supposed to be secured against intrusion. The bug affects an OpenSSL extension known as “heartbeat” which makes it possible to keep a secure communication channel open without re-negotiating security protocols.

2. What is OpenSSL?

OpenSSL is used to protect sensitive web communications across a vast swathe of the Internet. It’s an open-source implementation of SSL and its successor protocol, TLS (Transport Security Layer). It’s the default cryptographic library in the Apache and nginx Web servers, which together power almost two-thirds of all active websites.

3. What versions are at risk?

The bug affects OpenSSL version 1.0.1, which was released in March 2012, right through to 1.0.1f – which was released on in January 2014. The irony is, if you’ve been doing the right thing and keeping your version up-to-date – you’re more vulnerable to being a victim of the bug. Not all web servers are dependent on OpenSSL. IIS, for example, uses Microsoft’s SChannel implementation is one, which isn’t at risk from this bug.

4. How does it work?

The bug allows malicious users to request data from a Web server’s memory – which could include the site’s SSL encryption keys, user passwords and other sensitive information. It also lets attackers obtain the server’s secret keys, cryptographic measures that are supposed to ensure only an owner can access sensitive data, in order to impersonate servers and decrypt their communications.

5. What can you do?

To be honest, very little. It’s up to the owners of the site themselves to install updates and patches that will combat the bug. But if you are worried that a site you have visited may have been affected by the Heartbleed bug, you can check by clicking here and entering the URL.

6. Should you change your passwords?

We’re always told it’s good practice to change passwords. But remember, if the site has been affected and hasn’t yet addressed this security hole, that new login probably won’t be secure and you’ll have to change it again once a patch has been created. It’s unclear whether Facebook has been affected, but it’s been reported that Twitter Tumblr and Pinterest have. So check the sites you use regularly. If the site is safe or has been patched, then it’s safe to change your password. If it hasn’t – then don’t!