The Heartbleed BugIn case you missed the biggest tech news this week…be warned…Heartbleed is one bad bug. The Heartbleed bug is already being called one of the biggest security threats that the Internet has ever seen. Heartbleed is a security vulnerability in OpenSSL software that lets a hacker access the memory of data servers. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160.

If you are wondering if you have been affected by this nasty bus, you are likely to have been affected either directly or indirectly. The bug has affected many popular websites and services that you might use every day, (like Gmail and Facebook) and could have exposed your sensitive account information (such as passwords and credit card numbers) over the past two years. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your favorite social site, your business website, e-commerce site, the site that you install software from, and government website might be using vulnerable OpenSSL.

What makes the Heartbleed Bug unique?

Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously. Exploitation of this bug leaves no traces of anything abnormal happening to logs.

Who was behind the bug?

According to the Guardian, the programmer who wrote the glitchy code was Robin Seggelmann, who worked for the OpenSSL project while getting his Ph.D. studies from 2008 to 2012. Adding to the drama of the situation, he submitted the code at 11:59 p.m. on New Year’s Eve 2011, though he claims the timing has nothing to do with the bug.

“I am responsible for the error,” Seggelmann said. “Because I wrote the code and missed the necessary validation by an oversight.”

What versions of the OpenSSL are affected?

Status of different versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

What to Do:

Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users.

Some companies/developers have created testing sites to check which Web sites are vulnerable to Heartbleed. Two popular sites are by LastPass, (a company that develops password management software), and Qualys, (a security firm). These test sites are a good preliminary check, however, continue to proceed on the internet with caution…even if one of these site gives you an all-clear indication. If you’re given a red flag…definitely…avoid the site.

If you are worried about your financial information, be assured that most banks don’t use OpenSSL. Banks use proprietary encryption software. If you are still unsure, please contact your bank directly for confirmation that the Web site is secure. Sea-to-Sky recommends that you keep a close eye on financial statements for the next while to make sure there are no unfamiliar charges.

Should I Change My Passwords?

In short, YES! Here is a list of sites that recommend changing your password:

  • Facebook
  • LinkedIn
  • Instagram
  • Pinterest
  • Google
  • Yahoo
  • Gmail
  • Yahoo Mail
  • Etsy
  • Godaddy
  • Flicker
  • Minecraft
  • Netflix
  • Soundcloud
  • YoutTube
  • Dropbox
  • Github
  • OKCupid
  • Wikipedia
  • and more!!!

The CRA Reports that 900 SIN have been exposed to Heartbleed

In news closer to home, the Canada Revenue Agency (CRA) reported early Monday morning (April 14th) that 900 Canadians have had their social insurance numbers (SIN) stolen from its website due to the Heartbleed security bug. The CRA it became aware of the breach while repairing the bug, and that the theft happened over a six-hour period.

“Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability,” the CRA said. “We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”

They went on to say that they would contact the affected people via registered mail. These individuals, who were affected by the bug, will be provided with credit protection services at no cost, the revenue agency said.

1 Comment

  1. […] Bug is being heralded as one of the biggest vulnerabilities ever…possibly bigger than the Heartbleed bug earlier this […]

Leave A Reply