Heartbleed Security Flaw: 10 Fast Facts You Need to Know

heartbleed, heart bleed security flaw, cybersecurity, cyber attack, heartbleed openssl,

(Getty)

An Internet security flaw known as Heartbleed may be putting your personal information at risk. Here’s what you need to know to understand this new security threat.

UPDATE: According to a June 23 report from PC Mag, over 300,000 servers are still vulnerable to Heartbleed.


1. Heartbleed Could Affect 2/3 of All Web Servers

CNN explains that the Heartbleed vulnerability could be putting the passwords, financial information, and even private emails of the average person at risk of exposure to hackers.

CNN notes:

“Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial information. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they’re sending online is hidden from prying eyes.

Cybercriminals could exploit the bug to access visitors’ personal data as well as a site’s cryptographic keys, which can be used to impersonate that site and collect even more information.”


2. You Have Almost Certainly Been Affected by Heartbleed

This detailed FAQ about Heartbleed explains just how widespread the Heartbleed problem is. The FAQ states:

“You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL…

Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most.”

Experts state that changing all your website passwords immediately is a good first step towards protecting yourself from people exploiting Heartbleed. However, some experts believe that changing your passwords may not be enough to fully protect you, particularly if the site you are on hasn’t yet fixed its Heartbleed problem.


3. It Is Impossible to Know Whether You’re Affected

The Heartbleed FAQ cited above adds: “Exploitation of this bug leaves no traces of anything abnormal happening to the logs.” It is extremely difficult, if not impossible, to detect whether your data has been exposed through Heartbleed. This means it is equally unlikely that you can trace anyone who has stolen your data through Heartbleed.


4. Security Firm Codenomicon Discovered Heartbleed

CNET reports that security firm Codenomicon discovered the Heartbleed flaw. They were assisted by Google researcher Neel Mehta.

CNET adds that cryptography consultant Filippo Valsorda has published a tool that lets people check Web sites for Heartbleed vulnerability, which can be accessed here. CNET notes Google, Microsoft, Twitter, Facebook, Dropbox, Imgur, OKCupid, and Eventbrite were all found vulnerable by the tool.


5. There Is a Fix for Heartbleed

The video above from Tom Scott offers a non-technical breakdown of Heartbleed.

OpenSSL is aware of the Heartbleed vulnerability. In a brief statement on their site, OpenSSL states:

“Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1…

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.”


On the next page, we’ve got even more crucial info on this terrible vulnerability…including how it might affect your taxes this year.