Warning ! Read: "The biggest network security vulnerability in history was revealed in the last 24 hours. It's called "heartbleed." Everything you do for the next 24-48 hours will be viewable by random 3rd parties. Encrypted connections are not secure until this vulnerability is fixed. Billions will be affected. DO NOT LOG in to anything. DO NOT change any passwords. DO NOT say or do anything online that you would not want anonymous 3rd parties observing or copying. (This came from a reliable source in my family; he said it was okay to write on fb... or to read email from known sources as long as you observe the above "do nots.") Don't buy anything online today! Don't log into your bank account, etc.
OpenSSL "Heartbleed BUG" exposes passwords, Web site and Encryption Keys. Puts Encrypted Communication at Risk.
Hoax or Fact:
These messages circulating heavily on internet since early April 2014 warn people of a big network security flaw in OpenSSL called as "Heartbleed Bug". It is said that the flaw can expose your passwords, website and put your encrypted communication at risk. Yes, it is a fact.
What is Heartbleed Bug?
On April 7th 2014, a major new security vulnerability dubbed Heartbleed was disclosed after it was discovered by researchers working for Google and a security firm Codenomicon.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. SSL (Secure Sockets Layer), predecessor to Transport Layer Security (TLS), is a protocol for encrypting information over the Internet. SSL/TLS provides communication security and privacy over the Internet for applications like web, email, instant messaging (IM) and some virtual private networks (VPNs). The open-source encryption standard is used by the majority of websites that need to transmit data users want to keep secure. Describing about the Heartbleed Bug, the website of Heartbleed.com explains:
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
The Heartbleed Bug is serious; it's one of the biggest security vulnerabilities the Web had seen in years. The web servers can keep a lot of information in their active memory, like user names, passwords, and also the content users have uploaded to a service. The flaw has also made it possible for hackers to steal encryption keys, i.e. the codes used to turn encrypted data into readable information. According to the researchers, the Heartbleed Bug has been in OpenSSL for about two years, and worse, utilizing it does not leave a trace.
According to Netcraft.com, about 500,000 of the web's secure, trusted servers are running versions of the vulnerable software. It is also reported that a hacker or hackers used the Heartbleed bug to break into an employee’s virtual private network of an undisclosed 'Major Corporation'.
Are You Affected?
As the vulnerability has been in OpenSSL for about two years and exploiting it leaves no trace, it is likely that your accounts may be compromised. The Heartbleed website explains it saying:
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.
To check if a website is Heartbleed affected, McAfee released a free tool. Note that this is not like a bug in some application that can quickly be updated - the vulnerability is in the machines that power services that transmit secure information, like Gmail and Facebook.
How to Protect Yourself?
After the Heartbleed Bug was discovered, fixed OpenSSL has been released, and many of the major websites have updated their servers to the newer version of OpenSSL that is not vulnerable to the bug. But as reported by Business Insider on 18th April 2014, there are still more than 20,000 websites vulnerable to the bug. The consumers can follow certain measures to protect themselves:
- Firstly, change the passwords of sensitive accounts/services like banks and email, where privacy or security is major concern.
- Do not hesitate to reach out to small businesses that have your data and make sure they are secure.
- Do not log into accounts from afflicted sites until you are sure the company has patched the problem.
- Keep a close eye on your financial statements for the next few days, in case your accounts/services are exploited.
For more information and further updates on the Heartbleed Bug follow the website.