Heartbleed: Security flaw you need to know

April 23, 2014 

Supreme Court TV On the Internet

Videojournalists set up outside of the Supreme Court in Washington, Tuesday, April 22, 2104. The court is hearing arguments between Aereo, Inc., an internet startup company that gives subscribers access to broadcast television on their laptops and other portable devices and the broadcasters. (AP Photo/J. David Ake)

J. DAVID AKE — AP

The Internet is an amazing thing, but being so big and accessed by so many people, it is never really 100 percent secure. There are always security issues being uncovered that could put your business and systems at risk. One of the latest flaws is possibly one of the biggest to be uncovered in years and could affect nearly every person and company on the Internet. Codenamed Heartbleed, this bug makes stealing data and viewing secure communication incredibly easy.

Most sites on the Internet rely on Secure Sockets Layer (SSL) technology to ensure that information is transmitted securely from a computer to server. SSL and the slightly older Transport Layer Security (TLS) are the main technology used to essentially verify that the site you are trying to access is indeed that site, and not a fake one which could contain malware or any other form of security threat. They essentially ensure that the keys needed to confirm that a site is legitimate and communication can be securely exchanged.

You can tell sites are using SSL/TLS by looking at the URL bar of your browser. If there is a padlock or HTTPS:// before the Web address, the site is likely using SSL or TLS verifications to help ensure that the site is legitimate and communication will be secure. These technologies work well and are an essential part of the modern Internet. The problem is not actually with this technology but with a software library called OpenSSL. This breach is called Heartbleed, and has apparently been open for a num

ber of years now.

About Heartbleed

OpenSSL is an open-source version of SSL and TSL. This means that anyone can use it to gain SSL/TSL encryption for their site, and indeed a rather large percentage of sites on the Internet use this software library. The problem is, there was a small software glitch that can be exploited. This glitch is heartbleed.

Heartbleed is a bug that allows anyone on the Internet to access and read the memory of systems that are using certain versions of OpenSSL software. People who choose to exploit the bugs in the specific versions of OpenSSL can actually access or 'grab' bits of data that should be secured. This data is often related to the 'handshake' or key that is used to encrypt data which can then be observed and copied, allowing others to see what should be secure information.

The problems

There are two major problems with this bug. The first being that if an attacker can uncover the SSL handshake used by your computer and the server that hosts the site when you login or transmit data they will be able to see this information. This information usually is made up of your login name, password, text messages, content and even your credit card numbers. In other words, anything that gets transmitted to the site using that version of SSL can be viewed.

Scary right? Well, the second problem is much, much bigger. The hacker won't only be able to see the data you transmit, but how the site receiving it employs the SSL code. If a hacker sees this, they can copy it and use it to create spoof sites that use the same handshake code, tricking your browser into thinking the site is legitimate. These sites could be made to look exactly same as the legitimate site, but may contain malware or even data capture software. It's kind of like a criminal getting the key to your house instead of breaking the window.

But wait, it gets worse. This bug has been present in certain versions of OpenSSL for almost two years which means the sites that have been using the version of OpenSSL may have led to exposure of your data and communication. And any attacks that were carried out can't usually be traced.

Am I affected by this?

What makes this so different from other security glitches is that OpenSSL is used by a large percentage of websites. What this means is that you are likely affected. In fact, a report published by Netcraft cited that 66 percent of active sites on the Internet used OpenSSL. This software is also used to secure chat systems, Virtual Private Networks, and even some email servers.

We have to make it clear here however: Just because OpenSSL is used by a vast percentage of the Internet, it doesn't mean every site is affected by the glitch.

The latest versions of OpenSSL have already patched this issue and any website using these versions will still be secure. The version with Heartbleed came out in 2011. The issue is while sites may not be using the 2011 version now, they likely did in the past meaning your data could have been at risk. On the other hand, there are still a wide number of sites using this version of OpenSSL.

What should I do?

This is a big issue, regardless of whether a website uses this version of OpenSSL. The absolute first thing you should do is go and change your passwords for everything. When we say everything, we mean everything. Make the passwords as different as possible from the old ones and ensure that they are strong.

It can be hard to tell whether your data or communications were or are actually exposed, but it is safe to assume that at some time or another it was. Changing your passwords should be the first step to ensuring that you are secure and that the SSL/TSL transmissions are secure. You should be aware of which sites are using this version of OpenSSL. According to articles on the Web some of the most popular sites have used the version with the bug, or are as of the writing of this article, using it. This includes, Facebook, Google, Gmail, Yahoo, Yahoo mail, Instagram, Pinterest, Amazon web services, Go Daddy and Intuit.

It would be a good idea to visit the blogs of each service to see whether they have updated to a new version of OpenSSL. As of the writing of this article, most had actually done so but some were still looking into upgrading. If you have a website that uses SSL/TSL and OpenSSL you should update it to the latest version ASAP. This isn't a large update but it needs to be done properly, so it is best to contact an IT partner who can help ensure the upgrade goes smoothly and that all communication is secure.

David Spire, president and CEO of United Systems, holds an MBA degree as well as multiple technical professional certifications. He can be reached at 941-721-6423 or by email at david.spire@uscomputergroup.com.

Bradenton Herald is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service