Heartbleed bug strikes terror across the web

Huge flaw in OpenSLL lets hackers access personal data for past two years

By Brian Ward
On April 15, 2014

If you have not yet heard of the Heartbleed bug, you should read this, and then run to your computer.

On April 9, it was announced that Heartbleed, a coding flaw in the OpenSSL encryption library, has allowed anyone to have untraceable access to usernames, passwords, credit card numbers and other information encrypted by OpenSSL

OpenSSL is used by 66 percent of the Internet, and the Heartbleed bug has been around for two years. 

 "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and impersonate services and users," said Codenomicon, the Finnish Security firm that discovered Heartbleed.

According to an article by Jason Cipriani that was featured on CNET.com, a reputable tech website, some of the sites affected by Heartbleed include Google (including Gmail), Facebook, Tumblr, Instagram, Pintrest, Etsy, Reddit, Yahoo (including Yahoo Mail), Netflix, SoundCloud, Minecraft, Flickr and Dropbox.

In the short term what people should do is go online, check to see what sites have been patched and then change all of their passwords immediately. It might be an inconvenience, but it beats having some hacker using a credit card with your name on it.

Luckily, there are many banks and popular sites that do not use OpenSSL and are not susceptible to Heartbleed. Sites that were not vulnerable to Heartbleed include Bank of America, Chase, TD Bank, American Express, Capital One, Paypal, Amazon, eBay, Groupon, Apple and Microsoft.

However, if one were to use the same passwords for different sites, it still might be a good idea to change your passwords, even on sites that are not vulnerable. If a hacker gets a password from a vulnerable site - let's say Pintrest - they could use it on a site without the Heartbleed bug, like Bank of America.  

Heartbleed is being called one of the worst security issues in recent history. One computer security expert, Bruce Schneier, stated on his website that Heartbleed was a "catastrophic" flaw and that, "on the scale of one to 10, this is an 11."

Whenever someone connects with a website, it is encrypted with a SSL/TLS protocol to protect the data. OpenSSL is a free encryption library that a lot of sites use. Heartbleed came into existance two years ago when a coder for the OpenSSL Project submitted a faulty code that got into the system. On OpenSSL sites, Heartbleed allowed hackers up to 64 kilobytes of server memory per "heartbeat." A heartbeat makes it possible to keep a secure communication channel open without re-negotiating security protocols over and over again. The bug opens up a duration of time in which the hacker can go in and retrieve information (in this case, up to 64 kilobytes worth).

"There is no total of 64 kilobytes limitation to the attack; that limit applies only to a single heartbeat. Attacker can either keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed," said Codenomicon.  

All this is paired with the fact that Heartbleed is untraceable so you are unable to tell if someone has stolen your data until they start using it. 

Nine hundred people had their social insurance numbers stolen from the Canadian Revenue Service, and the Canadian government is extending the deadline for the for 2013 tax return while they find out the extent of the damage.

The NSA was accused of both knowing about Heartbleed and using it to gather information, but both the agency and the White House have adamantly denied the accusations. 

Akamai, a network provider who deals with one-third of Internet traffic, released a patch for Heartbleed on Friday, though it has recently been discovered that the Akamai patch is only partially effective. 

Get Top Stories Delivered Weekly

From Around the Web

More tnhonline News Articles

Recent tnhonline News Articles

Discuss This Article



Log In

or Create an account

Employers & Housing Providers

Employers can list job opportunities for students

Post a Job

Housing Providers can list available housing

Post Housing

Log In

Forgot your password?

Your new password has been sent to your email!

Logout Successful!

You just missed it! This listing has been filled.

Post your own housing listing on Uloop and have students reach out to you!

Upload An Image

Please select an image to upload
Note: must be in .png, .gif or .jpg format
Provide URL where image can be downloaded
Note: must be in .png, .gif or .jpg format