No doubt you’ve heard about the Heartbleed bug affecting countless websites and devices over the past week. Reports of the bug are many, yet information about how it works and what you can do to protect yourself can be difficult to extract from the widespread media response. Here we’ll take a brief look at what Heartbleed is, how it works, and what you can do.
Not a virus, not a breach… so what’s in a bug?
Some of the confusion around Heartbleed is related to the semantics of computer security. If you have owned a personal computer in the last decade, you’re likely familiar with computer viruses that affect your computer’s performance by embedding themselves in your device’s Operating System (i.e. Windows, OSX, etc.) Major data breaches have also made it to the front page of news outlets more frequently in recent years as hackers target user information stored online. In December 2013, Target announced a breach where millions of credit card numbers were stolen. Sony had a similar breach back in April of 2011 where over 77 million accounts were compromised.
Heartbleed is neither a virus, nor a major breach. Unlike a virus, there was no software written with malicious intent. And yet, unlike a major breach, this was not a planned, organized effort to gain access to information. It is actually a flawed piece of code in OpenSSL.
SSL stands for Secure Sockets Layer, a computing protocol designed to encrypt and protect information. This technology was developed so that information could be sent and received privately, without tampering. OpenSSL is just one implementation of the SSL technology, and it can be used to protect data transmission on websites, email servers, chat servers, virtual private networks (VPNs), and more. You may notice a lock icon (see image to right) followed by https:// in your web browser’s address bar when you visit an encrypted website. The s is short for secure and these both signify that the connection is encrypted. Not all websites use encryption, and not all websites employ OpenSSL to achieve encryption. Still, roughly half a million websites use the OpenSSL version that is vulnerable to the Heartbleed bug according to Netcraft’s April 2014 Web Server Survey.
What’s the danger?
So where exactly does this vulnerability occur in OpenSSL? That is as humorous as it is terrifying. Here’s the vulnerable code: “memcpy(bp, pl, payload);”
Did you catch that? Let’s look a little closer.
Heartbeat to heartbleed
Heartbeat is a term used to describe a connection check done between a server and a client. For context, imagine you are connecting to a server (i.e. a website). The client (you!) will send a heartbeat message to the website, and the website will send it back to you. This response notifies the client (again, that’s you) that the connection is still open and functional. The heartbeat message is useful because it prevents data from being transmitted when the connection is lost, and unnecessary connections can be closed.
If you look again at the vulnerable code “memcpy(bp, pl, payload,)” that’s the heartbeat. The payload part of that code can be manipulated to ask servers for extra information (e.g. usernames, passwords, and other information that was supposed to stay encrypted.) That means a hacker could use the common heartbeat function with a website you’ve visited in the past and exploit the Heartbleed bug to pull back extra data — data that could contain your sensitive information!
What should I do?
It is recommended that you change your password on affected sites after they have been patched. Changing your password does not address the underlying vulnerability, so be sure websites have implemented the fix before you make the change.
Mashable has compiled a useful “hit list” of popular sites where you can verify whether or not you should change your password. Additionally, LastPass has created a tool where you can input a website URL for vulnerability assessment.
You can also review UCSF’s Heartbleed bug information where they mention UCSF MyChart, Mail@UCSF, and MyAccess sites are not vulnerable.
Is my phone or tablet affected?
Apple released a statement last Thursday that they are not employing OpenSSL as the method of authentication for their iOS and OSX platforms, or other “key web services.” You do not need to change your AppleID password unless you use the same password for another service that may have been compromised.
Google’s Android operating system has not employed OpenSSL since version 4.1.1, but Google web services which require login (GMail, Google Docs, etc.) were vulnerable to the bug. You should change your Google account password. Additionally, if you are running Android version 4.1.1, you should check if an update is available for your device.
So many passwords! How to keep track?
We all know the rules. Don’t use the same password twice, make them complex, and change passwords frequently. In the real world, managing so many passwords is incredibly difficult. Remembering these passwords on the go with your mobile device is that much harder.
There are, however, several password managers available that can help with this daunting task. The aforementioned LastPass is a very popular web-based password manager with free and premium options available. The premium option gives access to mobile applications at $12 a year. My personal favorite, KeePass, is an open-source application available on most platforms. You can gain mobile access to your KeePass encrypted database by hosting it in a Cloud Storage provider like Box, Dropbox, Google Drive, etc. LastPass, KeePass, and other password managers can help keep you safe by storing unique, complex passwords in a secure place.
The Heartbleed official site is http://heartbleed.com, and you can find some less technical information in this overview at Gawker’s Non-Geek’s Guide. WIRED also has an eye-opening review of how this happened and the lesson we should learn from it. Be safe out there, folks.