News of the massive Heartbleed bug reverberated across the Internet last week showing how easily people’s online data could be accessed. This particularly nasty vulnerability — which has the capability to potentially extract people’s usernames, passwords, and credit card information — is said to have affected up to 500,000 Web sites, including Google, Facebook, Yahoo, and many more.
What is heartbleed ?
Heartbleed is a bug in OpenSSL’s implementation of the SSL/TLS protocol. OpenSSL is an open source library that manages secure, encrypted communications for the majority of online web servers. If the server supports encrypted communications — i.e. it accepts addresses that start with
https:// — then there’s a good chance that it’s vulnerable to Heartbleed. You can use the Heartbleed test website to see if a site is vulnerable to the exploit.
Withou getting into the technical details of what caused the Heartbleed bug in the first place — the Heartbleed website has all the info you might need — but I’ll tell you roughly how it works and what data it exposes. Heartbleed, official designation CVE-2014-0160, is a bug in OpenSSL’s heartbeat extension. It isn’t important to know what this extension does, only that it was poorly coded (in coder speak, it lacked bounds checking). This bug can be exploited by a hacker to read blocks of 64KB from the server’s RAM. The hacker can only grab one 64KB block at a time, but he can keep going back for more until he’s gathered all the data he needs.
How you can protect yourself (and your servers) ?
If you’re a server admin: The Heartbleed bug has been patched in version 1.0.1g of OpenSSL. If the updated package isn’t available for your distro yet, the compile-time option of
-DOPENSSL_NO_HEARTBEATS will also mitigate against the bug.
If you’re a web surfer: The short and rather unpleasant answer is, there isn’t much you can do to protect yourself from Heartbleed. If a website requires you to log in (to post a comment, to check your email) there is a good chance that hackers have had two years to glean your password from the server’s memory. The bug is exacerbated by the fact that it leaves no trace in log files, so there’s no way of telling if a password or encryption key has been exposed.
The Heartbleed bug will cause ripples for years to come — and in the short term, possibly a tsunami of high-profile hacks as well, unless big websites move very quickly indeed. Following the bug’s public disclosure on April 7, there has already been a marked increase in the number of users reporting hijacked accounts. If a hacker manages to obtain the security certificates for a high-profile target, like a bank or government — which is a very likely possibility — there’s almost no limit to the amount of damage that could be done. All because of a sloppy bit of coding by the OpenSSL team.
Shocking ” The NSA knew about and exploited the Heartbleed bug for ‘at least two years’ “
According to Bloomberg, the USA’s National Security Agency knew about the Heartbleed bug “for at least two years.” Robin Seggelmann, who introduced the bug around two years ago, claims he did so unintentionally. It’s entirely possible that he’s telling the truth — but it’s also possible that the NSA paid him to create the bug, or more nefariously, hacked his computer and introduced the bug without his knowledge.
to keep yourself updated on all the latest happenings in the world of Tech-know-logy.
You can follow us on Twitter ,
add us to your circle on Google+ or
like our Facebook page
Latest posts by Anurag (see all)
- Off-road and On-road Tata Hexa Experience for the car lovers - December 29, 2016
- Friends who define the true equation of Friendship - October 7, 2016
- Freecharge, the Best Digital Wallet in the Digital Ecosystem - September 28, 2016