Four Things You Should Know About the Heartbleed Bug
An exploit that's being called one of the worst security issues in the history of the internet was discovered this week—and if you run a website that uses SSL encryption, it probably affects you. Here's what you need to know.
It’s a bug so major that security researchers gave it its own logo and catchy nickname to spread word to the world.
And even then, it probably wasn’t enough.
Heartbleed is a big deal for end users and web developers alike, raising major questions about security and drawing an unprecedented level of attention for a single bug.
Based on early reports, it’s worthy of the panic that’s setting in. Here’s what developers and users alike need to know about Heartbleed:
It was the result of a minor coding oversight. A feature added to the OpenSSL security protocol about two years ago, a “heartbeat” mechanism, had a small bug upon its release that allowed nefarious users to poll a server’s memory, grabbing small pieces of the encrypted data in whole—think passwords, credit card and bank account numbers, and other personal information. And because this polling can be done multiple times and completely without the user’s knowledge, the result is that a security mechanism had a gaping hole in it. “The leak is the digital equivalent of a grab bag that hackers can blindly reach into over and over simply by sending a series of commands to vulnerable servers,” Ars Technica‘s Dan Goodin wrote.
Security experts are calling it “catastrophic.” Co3 Systems Chief Technology Officer Bruce Schneier, one of the most well-regarded security experts in the world, said the bug is a worst-case scenario for the internet. “Basically, an attacker can grab 64K of memory from a server,” he wrote on his popular blog. “The attack leaves no trace and can be done multiple times to grab a different random 64K of memory. This means that anything in memory—SSL private keys, user keys, anything—is vulnerable. And you have to assume that it is all compromised. All of it.”
It needs to be fixed on the developer’s end. If you run a site that relies on OpenSSL to encrypt user data, it likely was affected by the breach. This is not a rare thing—more than half a million servers use OpenSSL, including many big names such as Yahoo, Google, Dropbox, and Amazon Web Services. “Since there’s no way to tell whether a server has been exploited (and exploit code is now in the wild) you need to assume that it is,” Matthew Green, assistant research professor at the Johns Hopkins Information Security Institute, wrote on his blog. “This means the safe move is to revoke your certificate and get a new one. Have fun.”
Users should change their passwords, but… The problem with the OpenSSL leak is that it threatens so many sites that users who repeat passwords could be exposed to potential threats. However, sites that have not yet patched their systems could remain exposed, turning when you should change your password into a cat-and-mouse game. Mashable has a list of major sites that have been affected by the breach. At an enterprise IT level, it may be worth considering a tool like LastPass or 1Password to protect user data, along with implementing a two-step verification process for sites that use such technology. LastPass also offers a free tool to check whether a site was affected.
If your IT staff has dealt with the bug already, what advice would you give other technical teams addressing Heartbleed? Share your solutions in the comments.
(Associations Now illustration)