What is Heartbleed?
Some websites, especially those that are used to display or transfer personal or sensitive information, use encryption to protect the data that is sent and received. Sites like Amazon, Dropbox, Gmail, etc. all use encryption from the point at which you log in, and throughout your use of the site. Very recently it was discovered that there is a flaw in the security of one of the most common encryption standards used on the Internet, OpenSSL. This flaw, or bug, has been discovered in a version of the OpenSSL software which was first released in March 2012. This flaw has been given a security code (CVE-2014-0160) but also a codename: ‘Heartbleed’.
What is being done to fix it?
After the Heartbleed bug was discovered by security researchers they informed some key people in the industry and an updated version of OpenSSL was developed which does not have the bug. The key people in the industry began to roll out the update to their servers, but unfortunately before this work was complete news of the bug went public and this means that anyone with a reasonable amount of technical skill can now take advantage of the bug in places where it may not have been updated.
What are the consequences?
After the bug went public administrators of web services began to investigate and it was discovered that it was possible to use a relatively simple script to read the supposedly encrypted data passed between a user’s computer and the web server if the old version of OpenSSL was used. This means that an affected web service should be considered insecure and you should stop using it until it is fixed.
As an example, Yahoo’s webmail was not patched for several hours after the bug went public. It is highly likely that hackers will have been scanning the web traffic to Yahoo and reading the data which would of course include usernames, emails and passwords. Yahoo have now patched their servers but smaller web services may not have done so yet.
There is a possibility that this bug was discovered by hackers at any point in the last 2 years since the problem software was released. If this is the case then hackers could potentially have spent this time silently reading traffic between users’ computers and web servers, though this is unlikely.
How does this affect me?
This affects everyone who uses the Internet. In the worst case scenario, it is possible that any data you sent online in the last 2 years has been captured by hackers, though there is no evidence to show that this has been done, nor is there any evidence to show that any of the affected sites have been compromised, though it’s still important you pay attention to the actions below.
What do I do now?
On an individual level, whether in your business life or your home life, you should take action. Most security experts are recommending the following course of action:
1. Wait for a web service to tell you either:
a. It was never vulnerable to Heartbleed or
b. It was vulnerable but now it has fixed it’s systems
2. Change your password for each web service as it is fixed.
3. If you have been re-using passwords across different web services (i.e. you use the same password for multiple sites) then this is the opportunity to stop doing that.
Be wary of emails asking you to change your password, they could be ‘phishing scams’. It is best not to click the links in these emails, instead open your browser and type the address.
Some sources have been advocating changing all your passwords immediately. This is not great advice; if you change your password on a service that isn’t fixed, then your new password could subsequently be discovered by hackers. It is best to wait until you know the service is secure.
How do I pick good passwords? How do I remember lots of different passwords?
There are a few good websites which give advice, here are two:
You may wish to subscribe to a service to help you such as www.lastpass.com, since this password-storage tool will show you which sites are safe, and which passwords you should change:
For which common services should I change the password right away?
These popular services were vulnerable and have fixed the bug so you should change these passwords now.
- Google / Gmail
- Yahoo / Flickr / Tumblr
If you shared the password from any of these services with other services then change those too.
See more information here.
How does this affect my business?
Microsoft servers do not use OpenSSL so they are unaffected by this problem, this means that passwords you use to logon to your PC or to your business email are secure. Only if you have used your Windows password for web sites would we recommend you change it.
For most businesses the impact is limited to having to change passwords for all users for any affected web services that your business uses.
If your business itself provides web services then your web developers should be your first point of contact but feel free to contact us if you are unsure or need further advice or information.
There is a great deal of coverage of the problem right now. Not all journalists are very good with technical stories like this so it is best to take care about which sources you use. Here are two useful and trustworthy sources:
Here’s the UK government’s official website for security information distribution