The Heartbleed bug has been hitting the news quite frequently lately, and with good reason. It is a serious vulnerability in the popular, and widely used OpenSSL cryptographic software library. It is important to note that this is not a virus or malware but rather a mistake that was written into the OpenSSL software. In essence, this bug allows criminals to potentially steal the information, that would normally be protected under normal conditions, by the SSL/TLS (Secure Socket Layer / Transport Layer Security) encryption used to secure the internet. SSL/TLS is what provides security and privacy to communications over the internet, in particular, for applications such as web, email, instant messaging and some virtual private networks. For more detailed information on the Heartbleed Bug.
The core vulnerability that the Heartbleed bug has exposed is that it allows anyone on the internet to read the memory of the systems protected by vulnerable versions of the OpenSSL software, compromising the secret keys used to identify the service providers and to encrypt traffic. This includes the names and passwords of the users and actual content sent within the communication. It essentially allows attackers to “listen in” on communications and then steal data from either the service provider or the user that they can use to impersonate the user later.
What does this mean to users and how can they protect themselves? Well, as long as the vulnerable version of OpenSSL is in use, it is still open to attack. A fixed version of the OpenSSL software has been released and it has to be deployed. It is now up to any service providers and users that have utilized the vulnerable version of OpenSSL to install the fix for their systems wherever it is being used in their networks.
For end-users, the first thing that they should check is whether the online services that they use, like PayPal, Gmail, Yahoo, Facebook, Instagram, etc. have updated their servers in order to fix this vulnerability. Next, once the fix has been carried out by the service provider (not before), the users should then change their passwords. Some websites such as Mashable have provided a list of many popular websites that are affected by the Heartbleed bug. This is not a complete list so users should still be wary if a website that they frequent is not on the list. Wedge’s technology partner, computer security company McAfee, has provided a Heartbleed Test Tool for users to check if their frequently used website has been compromised. If the website pops up as being compromised, it means that the website has not updated their version of OpenSSL and the user should wait to change their password.
When it all comes down to it, the Heartbeat Bug is a good wake-up call for users and service providers alike. It reminds users that they should always be cognizant of security when transmitting valuable information over the internet. For service providers, how they deal with this bug is a good measure of how prepared they are to mitigate these problems when they arise in the future.
