What happened?
A serious security flaw was uncovered that affects huge swathes of the internet, including many services you’re likely to use. The so-called Heartbleed bug is a flaw in a system called OpenSSL (www.openssl.org). a library that’s used to provide encryption across the web. A version of it has a small and simple flaw that’s been called ’’catastrophic’’ by one security guru, because it leaks a small slice of a web server’s memory. This can include usernames, passwords, credit card details and even encryption keys.
A hacker could potentially use this data to access any ‘secure’ system, including banking, shopping and email services, which is supposed to be protected by OpenSSL.
The flaw has existed for more than two years, but was only recently discovered. It’s not yet known if any hackers have been using it to steal user data, because taking advantage of the flaw leaves no traces on a system.
The widespread and subtle nature of the vulnerability has led some to speculate that it was inserted into OpenSSL by security services, an unsurprising belief after the NSA leaks. However, the open-source developer responsible for the error in the code has come forward to say it was nothing more than an honest mistake – though that doesn’t mean that security agencies haven’t been exploiting the bug since 2012.
OpenSSL is used widely across the web. but also appears in operating systems – including the most recent long-term support version of Ubuntu – and hardware, such as routers and modems. Annoyingly, it’s very difficult to find out if your router is affected, and you’ll have to wait for your device’s manufacturer to patch the bug.
Because so many devices are connected these days, such flaws will only get more dangerous.
How will it affect you?
Many major sites have been affected, including Gmail and other Google services. Yahoo. Dropbox and even secure password manager LastPass. although most had other layers of encryption in place to protect user data. Sadly, there’s little any individual can do about Heartbleed. For affected web systems, the company running the site needs to install the patch and renew any security certificates. Many sites were warned before the flaw was taken public, so had rolled out the fix before we even knew about it. Others have had to rush to do it after the world was notified.
Once the flaw has been patched, users must reset their passwords. However, there’s little point in doing it beforehand, unless you’ve been using the same password and similar login details across different web sites. If you have, and a hacker has uncovered your password on one Heartbleed-affected site, they can then try it on other sites – potentially finding success. You can check if a website hasn’t yet fixed the bug using the ‘Heartbleed test’ at http://filippo.io/Heartbleed. However, if a site comes up as safe, keep in mind it might only recently have been fixed.
This security scare means your inbox is likely to fill up with password- reset ema ils. Read them carefully and go directly to the site to log in. rather than clicking any links in the messages, to avoid being caught out by a phishing email.
What do we think?
This massive flaw has garnered a lot of headlines, and with good reason. It highlights that the internet is still very much based on trust: we and web companies assume something is secure until proven otherwise. Heartbleed and flaws like it show that this is often not the case.
This is why good password management is so important for web users. It gives us an extra layer of protection when web firms and hardware makers let us down.
On the other hand, we need them to do a better job of examining systems such as OpenSSL. It was created via open source, meaning the developer who made the mistake that led to Heartbleed was working on his own time, unpaid. There’s nothing inherently wrong with that but we wonder how many major tech firms really put enough support – through developer time or money – into the open-source projects they depend so heavily on. Either way.
The post Heartbleed bug causes massive security scare appeared first on Cloud Media News.