This week, security researchers announced a security flaw in OpenSSL, a popular data encryption standard, that gives hackers who know about it the ability to extract massive amounts of data from the services that we use every day and assume are mostly secure.
The vulnerability is in the machines that power services that transmit secure information, such as Facebook and Gmail.
What is the Heartbleed bug?
According to BusinessInsider, “Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by the majority of websites that need to transmit the data that users want to keep secure. It basically gives you a secure line when you’re sending an email or chatting on IM.”
Encryption works by making data being sent unreadible to anyone but the intended recipient.
Periodically, one computer might want to check that there’s still a computer at the end of its secure connection, and it will send out what’s known as a heartbeat, a small packet of data that asks for a response.
Because of a programming error in OpenSSL, it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end into sending data stored in its memory.
The flaw was first reported to the team behind OpenSSL by Google security researcher Neel Mehta, and independently found by security firm Codenomicon. According to the researchers who discovered the flaw, the code has been in OpenSSL for about two years, and using it doesn’t leave a trace.
Web servers keep a lot of information in their active memory, including usernames, passwords, and even the content that users have uploaded to a service. According to Vox.com’s Timothy Lee, even credit-card numbers could be pulled out of the data sitting in memory on the servers that power some services.
But worse than that, the flaw has made it possible for hackers to steal encryption keys — the codes used to turn gibberish-encrypted data into readable information.
With encryption keys, hackers can intercept encrypted data moving to and from a site’s servers and read it without establishing a secure connection. This means that unless the companies running these servers change their keys, even future traffic will be susceptible.
Are you at risk?
Probably, though again, this isn’t simply an issue on your personal computer or your phone — it’s in the software that powers the services you use.
Security firm Codenomicon reports: “You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.”
According to a recent worl-wide web server survey that looked at nearly 959,000,000 websites, 66% of sites are powered by technology built around SSL, and that doesn’t include email services, chat services, and a wide variety of web apps.
What you can do to protect yourself:
- Change every password on every website you visit
- Enable two-factor authentication on every site that offers it
- Use a service like LastPass to store your passwords for each website you visit. It’s an add-on to your browser.
Read more about HeartBleed : http://www.businessinsider.com/heartbleed-bug-explainer-2014-4#ixzz2yUHWyanv