While the World Wide Web is no stranger to minor malware attacks and malicious viruses created by hackers, a bug of the magnitude of Heartbleed had been unheard of till a few days ago. In what follows, we take a close look at some of the critical aspects of this panic-inducing cyber bug.
Over the last ten days or so, Heartbleed is the one thing that every internet-user has been talking about. For the uninitiated (in case there is any!), Heartbleed is a major cyber security/programming bug, that has rendered almost all OpenSSL systems vulnerable. In layman’s language, the bug can cause your passwords to be hacked, and your personal mail/social networking/banking accounts to be misused. Let us here do a round-up on the Heartbleed bug, and determine whether you should indeed be concerned by it:
-
What is the bug all about? – Contrary to what many believe, Heartbleed is not ‘just another malware or virus program’. In essence, it is an error in the programming done for the OpenSSL data encryption coding. The error allows hackers to ‘bleed out’ information from host computer systems, at the rate of 64 KB every time. Targeting the bug repeatedly on particular websites (Gmail, for instance), can lead to literally millions of passwords being hijacked.
-
Who’s responsible for Heartbleed? – Heartbleed isn’t something that has cropped up during the last week. It had been, unknown to almost everyone, causing data loss since 2011. Given that it is a coding error, it isn’t possible to label the person responsible for it as a cyber criminal. However, if a finger has to be pointed – it should be at Dr. Robin Seggelmann, a Germany-based programmer/developer. To be fair, he was honest enough to own up to his 2011 mistake recently, during an interview to the Sunday Morning Herald newspaper.
-
Has the bug affected websites only? – Nearly 70% of all live websites use OpenSSL data protection technology, and all of them have been bitten by the bug. However, the reach of Heartbleed has been well and truly beyond online portals only. Mobile app developers around the world have reported that many web-based apps have been affected. Android apps, in particular, have been proved to be particularly vulnerable to the bug. Even certain public routers and Virtual Private Network (VPN) systems are reported to have been compromised.
-
So, how does Heartbleed actually steal data? – If you do online transactions frequently, you are probably already aware of how the ‘http’ at the start to the URL changes to ‘https’ (indicating ‘secure’) on the payment gateway pages. Thanks to Heartbleed, hackers can now grab information from such apparently secure pages too. What adds to the complexity of the problem is that, the effect of Heartbleed on a website cannot be traced back. It leaves no footprints, leaving internet fraudsters with an almost clear playing field.
-
Has the bug been fixed now? – On April 7, the OpenSSL 1.01g upgrade was released – specifically to fix the loophole through which Heartbleed was operating. Before you heave a sigh of relief, consider this though – most of the high-traffic websites are yet to install the upgrade and/or do the necessary rebooting on their respective servers. Once that is done (and you are informed about it), you will need to change passwords and other personal account details too.
-
Should you be wary of using unprotected wi-fi networks? – Yes, very. Avoid logging on to public wireless internet networks, since chances of unauthorized access of personal data from such channels cannot be ruled out. According to iPhone app development experts, logging on to mobile apps for making online payments via unsecure networks is an absolute ‘no-no’ too. Everybody loves a bit of free internet service, but Heartbleed might force you to pay a hefty price!
-
Which passwords should you change immediately? – Prior to this, you need to keep in mind one thing. If the website for which you are changing passwords has not upgraded the latest OpenSSL security patch, even your new passwords might get hacked. Thankfully, sites like Google and Yahoo did the necessary upgrades within a day or so. In general, you need to set up new passwords for all Google Apps (including Gmail), Amazon, Flickr, Yahoo! Mail and YouTube accounts. The Apple website has not been affected by Heartbleed – much to the relief of iOS application developers. On behalf of Facebook too, users have been advised to change their existing passwords (as a security measure). If you are a user of Dropbox, Evernote, Netflix or Hulu Plus, you will need new passwords for them as well.
-
Can you check whether a site is safe to work on? – Fortunately, you can. Since LastPass is relied upon by many users around the globe as a reliable database of passwords, it was quick to develop a tool for checking whether Heartbleed has affected any site. Filippo Valsorda, an independent online security research expert, has also created a site to check the vulnerability of online portals. For a few months at least, it would be a good idea to check a new site on either of these channels. The accuracy of the test results from the LastPass or Valsorda websites might not be 100% accurate, but they will give you a fair indication as to whether a portal is safe or not.
-
What is the volume of data already ‘stolen’ via Heartbleed? – No one has an idea, and it cannot be said with complete confidence that any data has indeed been misused by the bug. However, according to a release from Canada Revenue Agency, an alarmingly large number of personal Social Insurance Numbers have been ‘stolen’ from the website. The site, accordingly, had suspended its online e-filing operations temporarily – till a proper security patch was upgraded on it.
-
Online tax-payments now have to be deferred, right? – The verdict on this seemed to be a bit unclear until recently. While the Internal Revenue Service has clearly emphasized that there was no data-theft risk for people filing their tax-returns within the scheduled deadline – the stance of Canada Revenue Agency had been diametrically opposite. The CRA website resumed its services on April 13, after a brief hiatus – during which the required upgrades were made in its security system. As things stand now, online payment of taxes is safe – and deferring the payments would only mean unnecessary violation of regulations.
National Security Agency (NSA) had allegedly been using the Heartbleed bug to keep track of the cyber activities of foreigners in United States, for over a couple of years. We have to thank the professionals of Finnish research firm Codenomicon, and the efforts of Google researcher Neel Mehta – for making the cyber world sit up and take notice of the seriousness of the Heartbleed bug. According to experts on Blackberry apps, even BBM (Blackberry Messenger) services were affected by it. Heartbleed is, by far, the biggest internet security threat till date – and if you are negligent about changing passwords and checking the authenticity of websites, the consequences can be serious.