Fact Check

Heartbleed

The discovery of a major bug known as 'Heartbleed' has prompted web sites to encourage users to change the passwords for all of their online accounts immediately.

Published April 8, 2014

Claim:

Virus:   Heartbleed


REAL THREAT


Example:   [Collected via e-mail, April 2014]


WARNING! READ: "The biggest network security vulnerability in history was revealed in the last 24 hours. It's called "heartbleed." Everything you do for the next 24-48 hours will be viewable by random 3rd parties. Encrypted connections are not secure until this vulnerability is fixed. Billions will be affected. DO NOT LOG in to anything. DO NOT change any passwords. DO NOT say or do anything online that you would not want anonymous 3rd parties observing or copying. (This came from a reliable source in my family; he said it was okay to write on fb... or to read email from known sources as long as you observe the above "do nots.") Don't buy anything online today! Don't log into your bank account, etc.

 

Origins:   In April 2014 came the announcement that a bug in software used by millions of web servers may have exposed many web sites' users to spying and eavesdropping, including the interception of their passwords and other account information The bug, dubbed "heartbleed," resides in a software library called OpenSSL that is used in servers, operating systems, email, and instant messaging systems. Ironically, this software is supposed to protect sensitive data as it travels back and forth.

"Heartbleed" allows hackers to easily trick servers running OpenSSL into revealing decryption keys stored on their memory. With those keys, the ill-intentioned can eavesdrop on encrypted communications, directly steal sensitive information, and impersonate users and services.

OpenSSL is employed in the widely used Apache and Nginx server software.

Statistics from net monitoring firm Netcraft suggest that about 500,000 of the web's secure servers are running versions of the vulnerable software. (The bug gained its "heartbleed" moniker due to its occurring in the heartbeat extension for OpenSSL.)

The bug was discovered by researchers working for Google and security firm Codenomicon. In a blog entry about their findings, the researchers said the "serious vulnerability" allowed anyone to read chunks of memory in servers running the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.

The bug has been present in versions of OpenSSL that have been available for over two years. The latest version of OpenSSL released on 7 April 2014 is no longer vulnerable to the bug. However, protecting a server from this vulnerability may not be merely a matter of installing the updated version of OpenSSL: if attackers had exploited the weakness at an earlier date, they could have already stolen the encryption keys, passwords, or other credentials required to access accounts on that server.

Full protection might require web site operators' updating to the safer version of OpenSSL as well as getting new security certificates and generating new encryption keys. To help operators check their systems, security researchers have produced tools that will determine if servers are running vulnerable versions of OpenSSL.

Unfortunately, as security experts have noted, there is not much that individual Internet users can do to protect themselves against the Heartbleed vulnerability, as resolution of the issue depends upon the operators of web sites making changes to their systems:



Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until exploitable websites upgrade their software.

"There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure.

Hypponen said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.

"Take care of the passwords that are very important to you," he said. "Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely."

Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet firms to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.

That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net Inc. "There's going to be lots of chaotic mess," he said.

Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.


Additional Information:




  Heartbleed Bug   (Codenomicon)

Last updated:   9 April 2014


Sources:




    Finkle, Jim.   "Little Internet Users Can Do to Thwart 'Heartbleed' Bug."

    Reuters.   9 April 2014.

    Isaacson, Betsy.   "Critical Security Bug 'Heartbleed' Hits Up to 66 Percent of the Internet."

    The Huffington Post.   8 April 2014.

    Neal, Ryan.

    "'Heartbleed' Bug Lets Hackers Steal Encrypted Data from 66 Percent of Websites."
    International Business Times.   8 April 2014.

    BBC News.   "Scramble to Fix Huge 'Heartbleed' Security Bug."

  8 April 2014.


David Mikkelson founded the site now known as snopes.com back in 1994.