The Heartbleed Bug, gone in a heartbeat.

There is a hole in the heart of Internet security which has the potential to expose countless encrypted transactions.  It’s been named the Heartbleed Bug.  The bug was accidentally incorporated into OpenSSL in late 2011.  OpenSSL is an open source library that many software developers use to implement SSL/TLS encryption to provide security and privacy for communications over the Internet.

So how does it work?

When you connect to a secure Internet site to access your email, social media account, or Internet banking, the server you connect to will send back what is called a ‘heartbeat’, and just like your heartbeat it is how your computer and the server stay connected whilst you are logged in.  This heartbeat is used so that the server knows that you are still there and wishing to connect to your online account.  Once you log out this heartbeat stops meaning the server then knows that there should no longer be a connection and so your online account is no longer accessible.

The heartbeat is a very small message, but by using the bug an attacker may be able to get access to more of the memory of the web server than it should, and this memory may contain sensitive information useful to an attacker.  This might include usernames and passwords, session keys or even the web server’s private key.

So am I affected and what should I do?

This is a hard question to answer.  If your web site uses an old version of OpenSSL, then they are not affected.  Even if they do use the vulnerable version of OpenSSL, it would require an attacker to be using the bug at exactly the time you are using the site to be able to grab your credentials.  The best we can say is that it’s possible that you have been directly or indirectly affected.  Unfortunately the Heartbleed bug leaves no trace of exploitation, so you are unable to see if it has been used against you.

The best thing for us all to do is change our passwords if our provider tells us that they were exploited.  It might even be a good idea just to change all those old passwords that you’ve been using for years, just in case.  Here are some tips for creating a secure password:

·         Be a minimum of 8 characters long
·         Use upper and lower case letters
·         Substitute numbers or symbols for letters
·         Do not use simple personal information (i.e birthdays, kids names, pet names)
·         If you keep a written copy of your passwords use and encrypted method of accessing them, not a note in your wallet.
·         An easy thing to remember is a phrase, try abbreviating the phrase and using each of the first letters as your password. Using numbers can help make this harder to guess.

The OpenSSL team have created a fix and this is being rolled out across the Internet to correct the bug.

How can I find out if my website is affected?

A useful tool to check the configuration of your Internet provider is https://www.ssllabs.com/ssltest/

I would like more information of Heartbleed and its effects.

Here are some of places to look for more information.

Providing detailed information of Heatbleed and detailed Q&A

The Heartbleed Hit List: The Passwords You Need to Change Right Now
How Heartbleed Works: The Code Behind the Internet'sSecurity Nightmare

Sarah Taylor
www.cqr.com