You may be wondering “what is this all about?” Everyone is talking about the Heartbleed bug and we are being told to change all our passwords. There is so much noise about this latest security vulnerability that it is causing some level of panic amongst IT professionals and productivity loss as people divert focus from their primary activities in an effort to understand their vulnerability.
What is SSL?
SSL, Secure Sockets Layer, is an encryption protocol for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message. Most transactional websites use the protocol to obtain confidential user information, such as credit card numbers. There are many vendors of SSL technology and each has developed their encryption technology differently, therefore not all websites are vulnerable. The sites that are vulnerable are those that use OpenSSL, an Open source and non-proprietary software if it’s running any version in the OpenSSL 1.0.1 branch.
About the vulnerability
The Heartbleed bug allows hackers to access the memory of any system using OpenSSL encryption. That may include the system’s encryption keys that are meant to protect the data. This means that data you shared with many popular and important websites including your email, bank account, and social media passwords may have been compromised.
It’s difficult to underestimate the impact of this problem because your data has been vulnerable for about 2 years and is even more vulnerable now that the Heartbleed bug has been revealed publicly.
Don’t panic!
So the first thing is to find out which of your internet services requiring a password used OpenSSL, because it is these sites that contained the vulnerability. Although one can’t conclusively say what exactly can leak in an attack, it’s reasonable to assume that your private keys have been compromised. Basically you need to assume that your passwords have been compromised and take steps to change the password in an organised way.
How to stop the leak?
A fix has now been released however it has to be deployed by your Service providers. As long as the vulnerable version of OpenSSL is in use it can be abused.
Who can I get more help from?
There are a number sources of technical information and nuance where you can get more information and below I have listed some sources, however if you want to talk to someone and make this as simple to understand as possible then you can contact me at ricks@transputec.com.
I can help you get a professional assessment of where you stand and options available to you.
If you’re more tech-savvy, I highly recommend reading the Heartbleed FAQ, which provides more information on the problem.
Sources: The Register, Ars Technica, Heartbleed