Example: [Collected via e-mail, April 2014]
Origins: In April 2014 came the announcement that a bug in software used by millions of web servers may have exposed many web sites' users to spying and eavesdropping, including the interception of their passwords and other account information The bug, dubbed "heartbleed," resides in a software library called OpenSSL that is used in servers, operating systems, email, and instant messaging systems. Ironically, this software is supposed to protect sensitive data as it travels back and forth.
"Heartbleed" allows hackers to easily trick servers running OpenSSL into revealing decryption keys stored on their memory. With those keys, the ill-intentioned can eavesdrop on encrypted communications, directly steal sensitive information, and impersonate users and services.
OpenSSL is employed in the widely used Apache and Nginx server software.
The bug was discovered by researchers working for Google and security firm Codenomicon. In a blog entry about their findings, the researchers said the "serious vulnerability" allowed anyone to read chunks of memory in servers running the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.
The bug has been present in versions of OpenSSL that have been available for over two years. The latest version of OpenSSL released on
Full protection might require web site operators' updating to the safer version of OpenSSL as well as getting new security certificates and generating new encryption keys. To help operators check their systems, security researchers have produced tools that will determine if servers are running vulnerable versions of OpenSSL.
Unfortunately, as security experts have noted, there is not much that individual Internet users can do to protect themselves against the Heartbleed vulnerability, as resolution of the issue depends upon the operators of web sites making changes to their systems:
"There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure.
Hypponen said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.
"Take care of the passwords that are very important to you," he said. "Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely."
Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet firms to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.
That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net Inc. "There's going to be lots of chaotic mess," he said.
Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.
|Heartbleed Bug (Codenomicon)|
Finkle, Jim. "Little Internet Users Can Do to Thwart 'Heartbleed' Bug." Reuters. 9 April 2014. Isaacson, Betsy. "Critical Security Bug 'Heartbleed' Hits Up to 66 Percent of the Internet." The Huffington Post. 8 April 2014. Neal, Ryan. "'Heartbleed' Bug Lets Hackers Steal Encrypted Data from 66 Percent of Websites." International Business Times. 8 April 2014.
BBC News. "Scramble to Fix Huge 'Heartbleed' Security Bug." 8 April 2014.