Making waves in the Internet security community is the discovery of the Heartbleed bug, a serious vulnerability that allows hackers to steal personal information that is normally protected by OpenSSL encryption. OpenSSL provides security for Web applications, email, instant messaging and some virtual private networks. According to Internet security services provider Netcraft, about half a million trusted websites are vulnerable to the bug.
The bug allows anyone on the Internet to read the memory of any applications or websites that use vulnerable versions of OpenSSL. Hackers can exploit the vulnerability to steal proprietary data, including:
- Encryption keys, which can be used to decrypt protected information
- User credentials (username and password, etc.)
- Personal information, such as financial details, private emails or anything else worth encrypting
Are You Affected?
Chances are this affects you in one way or another. OpenSSL is the most popular cryptographic library in use on the Internet, so it is likely that you use several websites that may have this vulnerability. Unfortunately, websites using the most current versions of OpenSSL (versions 1.0.1 through 1.0.1f) are the ones most likely to be at risk. Earlier versions are not vulnerable.
Businesses, How Can You Fix the Problem?
OpenSSL has issued a fix for the Heartbleed bug. System administrators, or others who handle the infrastructure and web server on which your site runs, should update OpenSSL to version 1.0.1g immediately. The update can be found at www.openssl.org. It is also a good practice to notify your customers that you have reacted quickly to fix the vulnerability.
What Should You, Friends and Family Do?
- Don’t rush to change all your passwords. If an affected website hasn’t implemented updates yet, changing your password can make it easier for a hacker to obtain your information. Wait to change passwords until you either receive a confirmation email or you know for sure that the site has upgraded their software to fix the bug.
- Test the sites you frequent to see if the bug has been fixed.
- The Heartbleed bug is another reason to pick strong passwords and use two-factor authentication wherever possible. These methods won’t necessarily protect you from a Heartbleed vulnerability, but they increase the overall security of your information now and in the future.