Heartbleed Bug Breaks Net Security Firms’ Hearts
It’s an online security bug that’s developers’ breaking hearts. The Heartbleed bug is a security flaw in the OpenSSL cryptographic software library. Hackers can exploit this bug to get important information like login information, emails, and instant messages. It affects the average Internet user in that half a million websites are affected, said British internet services company Netcraft in a post on its website. Their analysis named including Yahoo, Tumblr, Dropbox, and Steam as vulnerable websites.
Cryptographic software is a form of encrypted software meant to keep hackers out by making information unreadable. Security firm Codenomicon launched a webpage to explain the Heartbleed Bug. Three of its security engineers as well as Google researcher Neel Mehta discovered the bug. Codenomicon then reported the bug. The webpage is essentially a FAQ/Q&A page related to the Heartbleed bug. The webpage said that any user with the technical knowledge to hack could exploit the bug, gaining access to valuable information.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names, and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users,” it said.
While newly discovered, the Heartbleed bug has existed since December 2011, but was first publically released in March 2012. News of the bug broke Tuesday, alerting users that their information may not be as safe as they think. Open SSL has made a brief security adversary regarding the bug. The company advises that affected users upgrade to the newest version, which includes a patch for the Heartbleed bug.
“Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with: DOPENSSL_NO_HEARTBEATS,” it said.
Internet security firms, developers, and users are all concerned about the potential ramifications of the bug. Users at developer-centric website GitHub are putting together a post with list of webpages they’ve tested for vulnerability related to the Heartbleed bug. Their findings in the 1000+ line document at first confirm that some the websites named by Netcraft are vulnerable in an initial scan, but later were found to have been fixed. They only verify that their information was accurate at the time of the scan at April 8, 12:00 UTC. They refer to it as a ‘snapshot.’ The results found that popular websites Google, Facebook, Reddit and Wikipedia were all not vulnerable. Others, such as LinkedIn, were not affected because the site has no SSL.
Users with accounts on affected websites are advised to change their passwords and to not reuse the same password on multiple websites. Another step is to set up two-factor verification on logins where possible. These help secure accounts by sending a one-time login code to a user to utilize with their password every time they log into an account. In short, keep your passwords secure by changing them often.