WASHINGTON, April 16, 2014 – You’ve protected your personal computer by installing anti-virus and Internet security software purchased from a well-known and trusted vendor. In addition, you’ve gone to the trouble of encrypting all your important data as well as your encrypted passwords. No more worries, right?
Your data may already have been compromised by something known as the “Heartbleed” bug and you won’t even know it.
According to a recent message from software security company Intego,
“Earlier this month, the OpenSSL project issued an emergency security advisory that warned about an open bug called ‘Heartbleed.’ This serious vulnerability could lead to malicious hackers spying on what were thought to be secure Internet communications.”
A current entry in Wikipedia provides this technical overview:
“Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension.”
Rough Lay Translation: Widely used OpenSSL (Secure Socket Layer) security methodologies are actually based on open-source code. A surprisingly open, relatively informal association of computer scientists created and still maintains OpenSSL technologies, which countless Internet sites and their servers around the world employ to assure the security of data. The Heartbleed bug can best be described as an exploitable security hole in OpenSSL that was only recently uncovered.
For the average user, the geeky details of what happened here are not particularly important. What all this really means is this: if you visit a web site that employs OpenSSL but has not recognized the Heartbleed vulnerability, hackers may invade their systems without detection and use the Heartbleed security hole to help themselves to steal private keys and individual users’ cookies and passwords as well, ultimately enabling them to obtain your carefully encrypted data.
The situation is a nightmare because none of your Internet or personal computer security software products can see what’s going on. Heartbleed is not really a virus in the conventional sense. It’s an open security hole that can be easily exploited. It’s an invisible security hole. Unlike the viruses and Trojan horses most careful PC users are accustomed to defending against, Heartbleed doesn’t insert malicious code or routines into your computer. It scoops up encrypted data that you’ve shared or left on vulnerable servers and potentially could grab data from your machine during an interactive session on one of those servers.
The good news is that once the OpenSSL crew discovered the Heartbleed vulnerability, they introduced a fix on April 7, 2014. It was also on that day that the Heartbleed vulnerability was publicly disclosed.
It is estimated that at the time of the announcement, slightly less than 20 percent of secure web servers were vulnerable. And if they haven’t implemented the new fix, they still are. The situation is potentially catastrophic for the average user, since many users don’t even bother to employ their own security measures to begin with.
Worse, nearly everyone tries to stick with passwords they can memorize. Once they’ve implemented them, the tendency is to use them on password-protected site after password-protected site so they don’t forget how to get in. Worse still, they never change their passwords.
And changing your password or passwords is ultimately the best and easiest way to at least prevent further vulnerability to Heartbleed on those websites/servers that haven’t yet implemented the OpenSSL fix.
Software, sites, and services have routinely recommended this password-changing routine for years anyway, advising customers to change their passwords at least once a year. But relatively few people bother to do it because, admittedly, it is a royal pain.
In addition, as password lists for individual users grow, these users are ultimately driven to write down the new passwords on paper or in a separate computer file lest they forget them. And this, of course, leads to another obvious vulnerability. What if someone eavesdrops and reads your password list?
Nonetheless, changing your passwords now might be a good security tactic, particularly if you’re using them to access a compromised server and/or website. But first, you might want to see if a given website has been compromised.
Intego has notified its users that one way to do this check is to go to this handy URL:
Once on this page, all you have to do is type in a URL or hostname you’re worried about and you’ll instantly be informed whether it’s vulnerable or not.
Intego advises “If you use a site that is affected, the security bug possibly compromised your password, and you’ll have to change it once the bug is fixed. Before you change passwords on a site, first check to see if it is vulnerable to Heartbleed. Don’t change your password until you know it’s safe.”
Italics are ours. Obviously, if a site hasn’t yet fixed the vulnerability and you change your password, the new password is instantly vulnerable to hacking as well. Best thing here might be to stay off the site temporarily and/or block the site via your security software settings until you know it’s safe again.
Meanwhile, if you’ve been too cheap to buy any kind of security software for your computer, maybe now is the time. It won’t defend against Heartbleed, of course. But the bulk of vulnerabilities, ever since viruses, Trojan horses, and malware were invented, have been aimed at your machine and that’s still the case. So security consciousness still begins at home.