“Heartbleed” security bug leaves two-thirds of the Internet exposed
Security firm Codenomicon and Neehl Mehta of Google Security has recently discovered a major security flaw that affects 66% of the Internet. Officially known as “CVE-2014-0160,” but dubbed “Heartbleed,” the bug is a flaw in the OpenSSL security library that many popular websites use to encrypt valuable data, such as usernames and passwords. Yahoo, in particular, was one of the big websites vulnerable to this security issue.
The bug allows attackers to randomly pull information from a server’s memory. Not all extracted data may be useful, but because the process can be repeated, there’s potential for hackers to retrieve sensitive information such as encryption keys to break the protection on valuable data. While the bug was only recently discovered, the exploit has existed for two years. It is impossible to know if any hackers have taken advantage of the bug during this period of vulnerability.
This specific security exploit only affects specific versions of OpenSSL (1.0.1 to 1.0.1f), and a fix has already been distributed. Some websites may have never upgraded to the compromised version in the first place. However, sites that have been open to the exploit might take a long time to fix since system administrators have to manually fix the problem.
So what should users do? It’s unfortunately on a site-by-site basis. Changing your password on a potentially vulnerable website won’t result in any security until that website has patched the security flaw. Check for official statements from websites you frequent to make sure the Heartbleed bug has been patched and then change your password accordingly. If a website has not yet been fixed, try to avoid using that website until a fix is in place.
There are online tools out there, such as this one, to test whether or not a site is currently vulnerable to the flaw.
For more information on the Heartbleed bug, check out http://heartbleed.com/.
By Alfredo Dizon, eParisExtra