PHUKET: On April 1, 2014 one of Google’s security team members reported a disturbing discovery. Don’t be misled, what was found to be a very serious security breach affecting half-a-million websites across cyberspace was, in fact, not a computer virus. It was a simple programming code mistake which turned out to have far-reaching implications for, what was thought to be, encrypted information. Meet Heartbleed.
The Heartbleed bug, as it has been grimly named, is a small coding error that somehow remained unseen by those responsible for catching such mistakes. The error was written into a security protocol called OpenSSL which is meant to provide a secure line of communication between networks and other computers and mobile devices. Numerous internet Goliaths such as Amazon, Facebook and Google run this protocol that was intended to keep the sensitive information users decide to share – think passwords, credit card numbers and social security numbers – under lock and key. At this point, it is widely considered one the most serious security breaches in the history of the internet.
Following the discovery of this metaphorical hole in the bucket, a patch was created and released on April 7 to shore up the breach. Internet users can now breathe a little easier, but not quite a sigh of relief. Although the error in the code has been taken care of, the problem was only discovered last month, while it has actually existed since it was implemented in an OpenSSL update on March 14, 2012.
At this point, unless you have already been affected, there really is no way of knowing if a hacking, thieving, scoundrel has acquired your info. Other than changing your online passwords, there is little you can do. What needs to happen is that the websites – about two-thirds of the internet – need to update the certificates and private keys that they use to encrypt communications. Certificates and private keys are used by networks to show you and your computer’s browser that your connection is indeed secure. Ever notice the little padlock beside a website’s address in your browser? That’s the verification symbol showing security authenticity.
However, this does not happen with the click of a button – to recreate and employ certificates and private keys takes time and effort. For instance, Google took the necessary steps to protect their users right away, but smaller networks without nearly infinite resources at their disposal like Google may struggle to do the same. Keep in mind that Heartbleed is not a virus on your computer so your machine itself is not compromised.
But wait, there is more. Another risk posed by Heartbleed is the explicit possibility that some cyber-villain could actually get a hold of a network’s private key and impersonate it. By creating, say, a fake sign-in page for a site that you navigate to and using the private key for that site, your computer would not be able to distinguish it from the authentic one, therefore allowing the online reprobate to grab your precious info.
For many websites, it may be unclear whether they have been affected by Heartbleed. Several websites (such as this one) have posted a list of some popular sites with their status regarding security.
The best approach to begin protecting yourself is to identify the sites you frequent most, especially the most sensitive ones like online banking, and find out if they have been affected and, if so, have they taken steps to secure themselves. If they did not implement OpenSSL to begin with, you are not at risk and do not need to take action. If they were affected, but are now secure, change your password immediately. In the case that a site has important information of yours, has been affected, but is not yet secure, do not bother changing your password until they have taken the necessary steps to keep your info safe.
More news will surface regarding Heartbleed and more people will be affected. For now, don’t be lazy, be proactive and do what needs to be done to protect yourself.
— Jeremie Schatz