Heartbleed - On the Internet And Beyond

(Image Courtesy: h30499.www3.hp.com

The Concept

The advent of Heartbleed, a recent software bug, has thrown a new communication security challenge to the anyway vulnerable internet. The IT professionals dealing particularly with the Internet security protocols are expressing huge concerns on its functional span. While the experts are analyzing the exact potential of damage and the ways to counter the CVE (Common Vulnerabilities and Exposures), this has already been established that this bug is capable of breaching the SSL/TLS (Transport Layer Security) encryption and attacking the sensitive information.

How it Works?

Heartbleed (official reference id: CVE-2014-0160) directly affects OpenSSL (Secure Sockets Layer), a software system that provides security for websites and their respective servers as it transfers and authenticates information like passwords in an encrypted or hidden format from the sender to the receiver(s). When a data (like chat, message, email, etc.) is accessed through OpenSSL, it creates a secured pipe for its uncompromised transfer. Alarmingly, the bug allows anyone to read the otherwise secured system memory, which includes securing passwords, messages, credit card numbers, emails, etc.

Why is it Called 'Heartbleed?'

There is a technical reason behind the unusual label. When a computer sends a request to a website, it responds with another message of the same length called a "heartbeat." It is called so since it informs the sender that the website is active and ready to receive requests-responses. When under siege, the website's heartbeat is altered and the response is unexpectedly different.

The Shocking Attacks

Some high-profiled security debacles this deadly intrusion may have executed include Facebook, Yahoo, and Google. Within the financial sector, American Funds and Venmo were breached. While Netflix, SoundCloud, YouTube, and Wordpress are not exempt from the virus, the websites, such as Instagram and Pinterest are also at risk. LinkedIn and Twitter appear to be safe, but changing your account passwords on these sites is highly recommended.

The Challenges

One of the biggest problems with Heartbleed is that it is not a computer bug, which can be disabled by an antivirus. Instead, it resides at the core of the secured data transport mechanism regulating the Transport Layer Security (TLS) and Secure Socket Layer (SSL) of the internet. The bug has even hit the applications employing client certificates to establish secure connections with the authorized users. Thanks to the bug, confidential information on several commercial and educational websites across the globe is now at potent risk. Researchers found that this bug spawned due to an inherent programming error in the internal code of OpenSSL software, resulting in access to the keys of the encrypted data in memory, also decrypting them into readable formats.

Although most of the sites affected by Heartbleed have been patched up, there is still substantial scope for damage. This is clear from the following statistics:

  • Of the top one million sites in the world, almost two percent (that is 20,000) is still at risk.
  • 800 of the top 50,000 ranked websites are still vulnerable to damage.
  • The security issues have spread to the internet enabled mobile devices as well.
  • Nearly 300,000 websites will remain prone to the injury for the next few months.
  • Almost 1,300 applications on the Google Play store were connected to at-risk servers. Such apps have a heightened risk of affecting client devices through their associated servers.
  • The victims list expands further to the network devices, such as routers, switches, servers, video cameras, and Network Attached Storage (NAS).
  • Highly secured Virtual Private Networks (or VPNs) are also under the bugs' scanner.

The Protection

Until the experts overcome this bug, follow these essential steps to preserve your data integrity:
  • Avoid sharing sensitive personal information on public sites, especially like Google, Yahoo, and Facebook.
  • If you store information on file hosting cloud services, such as Dropbox, IFTTT, and Box, immediately alter your passwords.
  • Always maintain unique passwords for different accounts and strengthen them with the different cases, numerical figures, and symbols.
  • Keep changing the passwords frequently.


Popular Posts