Heartbleed bug strikes terror across the web
Huge flaw in OpenSLL lets hackers access personal data for past two years
If you have not yet heard of the Heartbleed bug, you should read this, and then run to your computer.
On April 9, it was announced that Heartbleed, a coding flaw in the OpenSSL encryption library, has allowed anyone to have untraceable access to usernames, passwords, credit card numbers and other information encrypted by OpenSSL.
OpenSSL is used by 66 percent of the Internet, and the Heartbleed bug has been around for two years.
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and impersonate services and users," said Codenomicon, the Finnish Security firm that discovered Heartbleed.
According to an article by Jason Cipriani that was featured on CNET.com, a reputable tech website, some of the sites affected by Heartbleed include Google (including Gmail), Facebook, Tumblr, Instagram, Pintrest, Etsy, Reddit, Yahoo (including Yahoo Mail), Netflix, SoundCloud, Minecraft, Flickr and Dropbox.
In the short term what people should do is go online, check to see what sites have been patched and then change all of their passwords immediately. It might be an inconvenience, but it beats having some hacker using a credit card with your name on it.
Luckily, there are many banks and popular sites that do not use OpenSSL and are not susceptible to Heartbleed. Sites that were not vulnerable to Heartbleed include Bank of America, Chase, TD Bank, American Express, Capital One, Paypal, Amazon, eBay, Groupon, Apple and Microsoft.
However, if one were to use the same passwords for different sites, it still might be a good idea to change your passwords, even on sites that are not vulnerable. If a hacker gets a password from a vulnerable site - let's say Pintrest - they could use it on a site without the Heartbleed bug, like Bank of America.
Heartbleed is being called one of the worst security issues in recent history. One computer security expert, Bruce Schneier, stated on his website that Heartbleed was a "catastrophic" flaw and that, "on the scale of one to 10, this is an 11."
Whenever someone connects with a website, it is encrypted with a SSL/TLS protocol to protect the data. OpenSSL is a free encryption library that a lot of sites use. Heartbleed came into existance two years ago when a coder for the OpenSSL Project submitted a faulty code that got into the system. On OpenSSL sites, Heartbleed allowed hackers up to 64 kilobytes of server memory per "heartbeat." A heartbeat makes it possible to keep a secure communication channel open without re-negotiating security protocols over and over again. The bug opens up a duration of time in which the hacker can go in and retrieve information (in this case, up to 64 kilobytes worth).
"There is no total of 64 kilobytes limitation to the attack; that limit applies only to a single heartbeat. Attacker can either keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed," said Codenomicon.
All this is paired with the fact that Heartbleed is untraceable so you are unable to tell if someone has stolen your data until they start using it.
Nine hundred people had their social insurance numbers stolen from the Canadian Revenue Service, and the Canadian government is extending the deadline for the for 2013 tax return while they find out the extent of the damage.
The NSA was accused of both knowing about Heartbleed and using it to gather information, but both the agency and the White House have adamantly denied the accusations.
Akamai, a network provider who deals with one-third of Internet traffic, released a patch for Heartbleed on Friday, though it has recently been discovered that the Akamai patch is only partially effective.
Get Top Stories Delivered Weekly
From Around the Web
More tnhonline News Articles
Recent tnhonline News Articles
Discuss This Article
MOST POPULAR TNHONLINE NEWS
GET TOP STORIES DELIVERED WEEKLY
FOLLOW OUR NEWSPAPER
LATEST TNHONLINE NEWS
FROM AROUND THE WEB
- Family-Friendly Programming Storms The Weather Channel
- Carrageenan: Sustainability From Farm to Table
- Every Room Tells a Story if You Set the Stage
- Guiding Treatment of Advanced Breast Cancer Using Subtypes
- Taking the High Road to Scotland
- Fall Foes: Watch out for These Stinging Insects
- Supporting Arts in Education
- Fishing and Boating are Great Activities for the Entire...
- Don't Get Blindsided by the Sticker Shock of College
- Your Online Reputation: Handle With Care