Everything you need to know about “Heartbleed” Bug

News of the massive Heartbleed bug reverberated across the Internet last week showing how easily people’s online data could be accessed. This particularly nasty vulnerability — which has the capability to potentially extract people’s usernames, passwords, and credit card information — is said to have affected up to 500,000 Web sites, including Google, Facebook, Yahoo, and many more.

                                                                                                                                                                      What is heartbleed ?

heartbleed-quikrpost

Heartbleed is a bug in OpenSSL’s implementation of the SSL/TLS protocol. OpenSSL is an open source library that manages secure, encrypted communications for the majority of online web servers. If the server supports encrypted communications — i.e. it accepts addresses that start with https:// — then there’s a good chance that it’s vulnerable to Heartbleed. You can use the Heartbleed test website to see if a site is vulnerable to the exploit.

Withou getting into the technical details of what caused the Heartbleed bug in the first place — the Heartbleed website has all the info you might need — but I’ll tell you roughly how it works and what data it exposes. Heartbleed, official designation CVE-2014-0160, is a bug in OpenSSL’s heartbeat extension. It isn’t important to know what this extension does, only that it was poorly coded (in coder speak, it lacked bounds checking). This bug can be exploited by a hacker to read blocks of 64KB from the server’s RAM. The hacker can only grab one 64KB block at a time, but he can keep going back for more until he’s gathered all the data he needs.

MUST READ  Google Beaten by Bing over Bitcoin Conversion Tool

 

How you can protect yourself (and your servers) ?

If you’re a server admin: The Heartbleed bug has been patched in version 1.0.1g of OpenSSL. If the updated package isn’t available for your distro yet, the compile-time option of -DOPENSSL_NO_HEARTBEATS will also mitigate against the bug.

If you’re a web surfer: The short and rather unpleasant answer is, there isn’t much you can do to protect yourself from Heartbleed. If a website requires you to log in (to post a comment, to check your email) there is a good chance that hackers have had two years to glean your password from the server’s memory. The bug is exacerbated by the fact that it leaves no trace in log files, so there’s no way of telling if a password or encryption key has been exposed.

The Heartbleed bug will cause ripples for years to come — and in the short term, possibly a tsunami of high-profile hacks as well, unless big websites move very quickly indeed. Following the bug’s public disclosure on April 7, there has already been a marked increase in the number of users reporting hijacked accounts. If a hacker manages to obtain the security certificates for a high-profile target, like a bank or government — which is a very likely possibility — there’s almost no limit to the amount of damage that could be done. All because of a sloppy bit of coding by the OpenSSL team.

Shocking ” The NSA knew about and exploited the Heartbleed bug for ‘at least two years’ “

According to Bloomberg, the USA’s National Security Agency knew about the Heartbleed bug “for at least two years.” Robin Seggelmann, who introduced the bug around two years ago, claims he did so unintentionally. It’s entirely possible that he’s telling the truth — but it’s also possible that the NSA paid him to create the bug, or more nefariously, hacked his computer and introduced the bug without his knowledge. 

MUST READ  Twitter Tips: Want to be taken seriously on Twitter? Here's You Go!!

 

to keep yourself updated on all the latest happenings in the world of Tech-know-logy.

You can follow us on Twitter ,

add us to your circle on Google+ or

like our Facebook page 

 

Anurag

Engineer by responsibility and Blogger by choice, Hi I am Anurag Ajmera from Ajmer (by birth) and living in Karnal and Delhi NCR for the last 20 years of my 24 years of life. Passionate about trekking, coding and discovering. I love to meet new people and do sketching in my spare time. Hard on my principles and soft on my skills I love to play football. Vegetarian by force I have respect for nature and its beauty.
MUST READ  Bitcloud: Technology That Can 'Replace' Internet

Anurag

Engineer by responsibility and Blogger by choice, Hi I am Anurag Ajmera from Ajmer (by birth) and living in Karnal and Delhi NCR for the last 20 years of my 24 years of life. Passionate about trekking, coding and discovering. I love to meet new people and do sketching in my spare time. Hard on my principles and soft on my skills I love to play football. Vegetarian by force I have respect for nature and its beauty.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>