If you’ve recently heard of the bug called “Heartbleed,” you may be somewhat familiar with what is being considered one of the most critical Internet vulnerabilities in history. The bug, which has set the worldwide web ablaze, is a serious flaw in OpenSSL, designed to provide communication security and privacy over the Internet. It compromises web security allowing attackers to gain access to users’ passwords, eavesdrop on communications, steal data directly from online services and their users as well as impersonate services and users. Known technically as CVE-2014-0160, it was reported to be discovered by (security firm) Codenomicon engineers, who in essence found what is considered to be one of the biggest security holes the Internet has ever seen. It has been established that the bug had actually existed for two years even though it’s just recently been identified. The firm nicknamed the bug Heartbleed and within an hour put up the website heartbleed.com. A Washington Post blog, ‘Why is it called the ‘Heartbleed Bug’, gives some technical information on the bug, OpenSSL, its interesting naming process and the actual branding with the now well-known Heartbleed symbol (pictured on this blog page). The blog also specifies how many times #Heartbleed had been tweeted as I myself have tweeted it numerous times.
Major enterprise online organizations such as Google, Yahoo, Facebook and Netflix all raced to implement defenses against the massive bug. Federal regulators, upon notification of Heartbleed, advised banks to protect their systems and implement measures to protect users’ account information. The other day I logged into my bank account to check my balance as well as change my password, as has been advised by security experts, and noticed a link Click here for more information about the Heartbleed security bug. I did change the password anyway not wanting to take any chances, however it was good to see that my bank had immediately put in place defenses to protect against the potential threat. The statement did suggest that while no customer actions were necessary, they generally recommend changing online account passwords regularly.
In an ABC News article, it was reported that the IRS was not affected by the security hole. It also specified that TurboTax, considered the most popular online tax preparation software, issued a statement last Wednesday that their website was protected from Heartbleed. Google and Facebook were also named in the article concerning protection against the Heartbleed threat. The microblogging and social networking site Tumblr, after installing the Heartbleed software patch, issued stern advice to its users according to the article. Nathaniel Couper-Noles, principal security consultant at Neohapsis Mobile and Cloud Security Services, stated that “It may take a considerable amount of effort and money to re-establish a nominal security level.” In the article security experts advised people to change online passwords which has become a common thread at this point.
In a CNN Money article, Heartbleed bug affects gadgets everywhere, it was specified that the bug doesn’t just affect websites, it has also shown up in devices and technology that are used to connect to the internet. Along with servers, routers and switches, video cameras on a network can be affected by it as well. Certain mobile devices also have the potential to be directly affected by it. It’s been reported that millions of Android devices have been found to be vulnerable to the Heartbleed bug, however a Google online security blog article stated that “All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners).” Heartbleed Detector is a free app download from the Play Store used to determine whether or not an Android device is vulnerable to the Heartbleed bug in OpenSSL. As for iOS devices, it was reported that they are immune to the bug, so those users can breathe a sigh of relief.
For more information on Heartbleed you can read What You Need to Know About Heartbleed, the New Security Bug Scaring the Internet. A very good article to read as well is The Heartbleed Hit List: The Passwords You Need to Change Right Now which highlights a host of entities including e-stores and commerce, financial institutions, social networking websites and more that may or may not have been affected.
And as previously specified, change your passwords now if necessary, as well as regularly as a practice to safeguard any sensitive online financial information as well as protect against any unknown access to online purchase or social networking websites. As for any AV/communications related stories I have read a couple already so keep your eyes open for them.