What To Do About The Heartbleed Bug

April 17, 2014

Written by wukovits

heart-bleed-bug

Most recently the technology sector was shaken by the discovery of the Heartbleed Bug, a serious vulnerability for Internet security. This affects nearly everyone that has some sort of online account, and understanding the issue is important, as is utilizing a smart approach to protect yourself.

The Heartbleed Bug is a weakness in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, which serve to provide secure Internet transactions between web browsers and web servers. Almost anytime you provide login information for a website, that website’s server is using SSL/TLS encryption to provide communication security and privacy for your login information. Many websites utilize the OpenSSL cryptographic software library and herein lies the security hole.

When a web browser and a web server are passing data back and forth, they “check” to see if the other computer is still available by sending a small packet of data, or a “heartbeat”, which is then confirmed by the other machine. The Heartbleed Bug allows hackers to send a false packet of data which fools the other machine into sending data stored in memory, which could provide the hackers with access to quite a bit of sensitive login information.

Another point of concern is that the flaw, though just discovered, has been active for at least two years and is undetectable by current standards. If you read any news on the Internet, I’m sure you’ve seen a lot of articles about this and the need to go change your passwords, but WAIT!

If you go and change your password and that website server hasn’t updated their OpenSSL software library, that change is all for naught: the flaw is still in place. You’ll need to verify that the web server is running the “safe” OpenSSL version before you change your password.

There exist a few places that will allow you to check a website for this vulnerability, and I recommend you go start checking the websites you use.

https://filippo.io/Heartbleed/

https://www.ssllabs.com/ssltest/

https://lastpass.com/heartbleed/

The last site I mentioned is something the folks at LastPass were nice enough to let people use. Anyone that uses their free password management service has access to a few other tools that allow you to check for ALL your passwords that you store with them. Their scanner also works a little differently and checks for other past vulnerabilities and steps to take to ensure your privacy. I’m a wholehearted supporter of LastPass and strongly suggest you give their free service a try.

It should be noted that the Heartbleed Bug could very well continue to affect our Internet as we know it, with the vulnerable OpenSSL software library baked into a variety of Internet hardware and third-party security products, like Virtual Private Network (VPN) tools and commercial firewall products. For businesses that maintain their own servers with VPN networks in place, you’ll need to check with your IT people to make sure you’re going to be safe.

Don’t delay and start checking the security of the websites you use immediately. If that website hasn’t patched their OpenSSL, then wait to change your password until they do.

Bayou Tech

We provide solutions for your business. Find out how we can help.

Related Articles

Hackers Are Using DDOS Attacks To Profit Off Businesses

Distributed Denial of Service Attacks (DDOS) have been used by hackers since the earliest days of the web. Get enough internet-connected devices to ping a server at the same time, and you can knock the server offline. Keep the pressure on and you can keep it offline,...

New Version Of Jupyter Malware Spotted In The Wild

Researchers from cybersecurity company Morphisec have recently discovered a new strain of malware they believe has been in the wild of the internet since at least May of this year (2020). Dubbed Jupyter, this strain is classed as an Info Stealer. It focuses on getting...

Cisco Data Center Manager Software Users Should Patch Immediately

Do you use Cisco's Data Center Manager Software? If so, be advised that the company recently issued an advisory concerning a serious security flaw. The advisory reads, in part, as follows: "The vulnerability exists because different installations share a static...

Send us a message

Your message was sent.