Whether you work in the world of digital security or not, you have probably heard about the ominous heartbleed bug. Maybe you saw it screeching across your television screen during the nightly news or perhaps your network administrator sent out some warning emails about the bug, asking you to change your passwords. No matter what you have heard, the reality is that heartbleed is not a simple computer virus – it's a security flaw that hackers can take advantage of to gain valuable information from some very scary places. In this article, we are going to look at this devastating bug to better understand it.
What is the Heartbleed Bug
The heartbleed bug has many implications for digital security professionals and laymen alike. Even though it has only recently been mentioned in the general public, the heartbleed bug has been around for over two years, giving potential exploiters plenty of time to take advantage of it.
The bug is a flaw in what is known as OpenSSL, an open-source encryption standard (SSL stands for secure socket layer), that is used by pretty much every website. The standard is used for transmitting secure data for a number of purposes – anything from e-mail and chat to Facebook and more.
The heartbleed bug gets its name from the way hackers can exploit the flaw; basically, when two computers try to communicate over a network, one computer will occasionally send out a "heartbeat" or packet of data to see if a connection is still in place.
Malware can take advantage of this flaw by mimicking this "heartbeat" and tricking the other computer to send data it has stored in memory.
Complicating matters and making things even worse is the fact that there is no way to trace whether the flaw has been used or not.
What Types of Data Could Be Compromised
Unfortunately, there is vast amount of information that can be retrieved via the heartbleed bug, including passwords, usernames, any content you may have uploaded (think images, blog posts, and so forth), and even credit card numbers or banking information.
On top of this, hackers are able to uncover encryption keys from the same flaw, meaning they are able to take your encrypted data and un-encrypt it, making it readable.
Aftermath of the Heartbleed Bug
Considering that this flaw has been around for two years and its public discovery was fairly recent, it is hard to properly gauge its effect on digital security or weigh-in on the aftermath, as the damage will likely continue to add up, despite the fact that many large companies have already patched the vulnerability.
Complicating the matter, as stated above, is the fact that the flaw makes it so that any exploit taking advantage of it is undetectable, meaning it is not always possible to know if there was a breach or not.
Suffice it to say, if you use any website such as Yahoo, Gmail, Facebook, Twitter, online banking – any website that may contain sensitive data – you should change your passwords, at the very least. Make sure you have strong passwords (you can find tips for creating strong passwords online) and monitor your bank account and credit cards for any suspicious activity.
If you run a website and have not yet fixed the vulnerability, quit reading this article and go check out Codenomicon's Heartbleed Vulnerability Checker. The scanner was created by one of the security firms responsible for finding the flaw and bringing it to the public's attention.
For an interesting take on how word spread so quickly about the heartbleed bug, check out this Mashable article on how the heartbleed bug became a security superstar.