‘Heartbleed’ security bug: Defend your encrypted data

‘Heartbleed’ security bug: Defend your encrypted data

'Heartbleed' logo/symbol. (Via Wikipedia)
'Heartbleed' logo/symbol. (Via Wikipedia)

WASHINGTON, April 16, 2014 – You’ve protected your personal computer by installing anti-virus and Internet security software purchased from a well-known and trusted vendor. In addition, you’ve gone to the trouble of encrypting all your important data as well as your encrypted passwords. No more worries, right? 

Wrong answer.

Your data may already have been compromised by something known as the “Heartbleed” bug and you won’t even know it.

According to a recent message from software security company Intego,

“Earlier this month, the OpenSSL project issued an emergency security advisory that warned about an open bug called ‘Heartbleed.’ This serious vulnerability could lead to malicious hackers spying on what were thought to be secure Internet communications.”

A current entry in Wikipedia provides this technical overview:

Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension.”

Rough Lay Translation: Widely used OpenSSL (Secure Socket Layer) security methodologies are actually based on open-source code. A surprisingly open, relatively informal association of computer scientists created and still maintains OpenSSL technologies, which countless Internet sites and their servers around the world employ to assure the security of data. The Heartbleed bug can best be described as an exploitable security hole in OpenSSL that was only recently uncovered.

For the average user, the geeky details of what happened here are not particularly important. What all this really means is this: if you visit a web site that employs OpenSSL but has not recognized the Heartbleed vulnerability, hackers may invade their systems without detection and use the Heartbleed security hole to help themselves to steal private keys and individual users’ cookies and passwords as well, ultimately enabling them to obtain your carefully encrypted data.

The situation is a nightmare because none of your Internet or personal computer security software products can see what’s going on. Heartbleed is not really a virus in the conventional sense. It’s an open security hole that can be easily exploited. It’s an invisible security hole. Unlike the viruses and Trojan horses most careful PC users are accustomed to defending against, Heartbleed doesn’t insert malicious code or routines into your computer. It scoops up encrypted data that you’ve shared or left on vulnerable servers and potentially could grab data from your machine during an interactive session on one of those servers.

The good news is that once the OpenSSL crew discovered the Heartbleed vulnerability, they introduced a fix on April 7, 2014. It was also on that day that the Heartbleed vulnerability was publicly disclosed.

It is estimated that at the time of the announcement, slightly less than 20 percent of secure web servers were vulnerable. And if they haven’t implemented the new fix, they still are. The situation is potentially catastrophic for the average user, since many users don’t even bother to employ their own security measures to begin with.

Worse, nearly everyone tries to stick with passwords they can memorize. Once they’ve implemented them, the tendency is to use them on password-protected site after password-protected site so they don’t forget how to get in. Worse still, they never change their passwords.

And changing your password or passwords is ultimately the best and easiest way to at least prevent further vulnerability to Heartbleed on those websites/servers that haven’t yet implemented the OpenSSL fix.

Software, sites, and services have routinely recommended this password-changing routine for years anyway, advising customers to change their passwords at least once a year. But relatively few people bother to do it because, admittedly, it is a royal pain.

In addition, as password lists for individual users grow, these users are ultimately driven to write down the new passwords on paper or in a separate computer file lest they forget them. And this, of course, leads to another obvious vulnerability. What if someone eavesdrops and reads your password list?

Nonetheless, changing your passwords now might be a good security tactic, particularly if you’re using them to access a compromised server and/or website. But first, you might want to see if a given website has been compromised.

Intego has notified its users that one way to do this check is to go to this handy URL:


Once on this page, all you have to do is type in a URL or hostname you’re worried about and you’ll instantly be informed whether it’s vulnerable or not.

Intego advises “If you use a site that is affected, the security bug possibly compromised your password, and you’ll have to change it once the bug is fixed. Before you change passwords on a site, first check to see if it is vulnerable to Heartbleed. Don’t change your password until you know it’s safe.

Italics are ours. Obviously, if a site hasn’t yet fixed the vulnerability and you change your password, the new password is instantly vulnerable to hacking as well. Best thing here might be to stay off the site temporarily and/or block the site via your security software settings until you know it’s safe again.

Meanwhile, if you’ve been too cheap to buy any kind of security software for your computer, maybe now is the time. It won’t defend against Heartbleed, of course. But the bulk of vulnerabilities, ever since viruses, Trojan horses, and malware were invented, have been aimed at your machine and that’s still the case. So security consciousness still begins at home.

Click here for reuse options!
Copyright 2014 Communities Digital News

This article is the copyrighted property of the writer and Communities Digital News, LLC. Written permission must be obtained before reprint in online or print media. REPRINTING CONTENT WITHOUT PERMISSION AND/OR PAYMENT IS THEFT AND PUNISHABLE BY LAW.

Correspondingly, Communities Digital News, LLC uses its best efforts to operate in accordance with the Fair Use Doctrine under US Copyright Law and always tries to provide proper attribution. If you have reason to believe that any written material or image has been innocently infringed, please bring it to the immediate attention of CDN via the e-mail address or phone number listed on the Contact page so that it can be resolved expeditiously.

Terry Ponick
Biographical Note: Dateline Award-winning music and theater critic for The Connection Newspapers and the Reston-Fairfax Times, Terry was the music critic for the Washington Times print edition (1994-2010) and online Communities (2010-2014). Since 2014, he has been the Business and Entertainment Editor for Communities Digital News (CDN). A former stockbroker and a writer and editor with many interests, he served as editor under contract from the White House Office of Science and Technology Policy (OSTP) and continues to write on science and business topics. He is a graduate of Georgetown University (BA, MA) and the University of South Carolina where he was awarded a Ph.D. in English and American Literature and co-founded one of the earliest Writing Labs in the country. Twitter: @terryp17