In a past few days we have been hearing the term Heartbleed over and over again. The question is, what is it? And why is it so dangerous?

Heartbleed is not a virus, but rather a mistake written into OpenSSL— open-source software for SSL implementation across the Web.

  It is a security vulnerability in OpenSSL software that may affect nearly two-thirds of websites online and allow hackers to access data servers that may contain username, password and other sensitive information.

With the disclosure of a bug in OpenSSL’s implementation of heartbeat, it is no longer necessary for cybercriminals to hack into the server to steal the credentials or private keys. An easy execution of a small code will provide them with wealth of information just by exploiting the vulnerability in OpenSSL. While this is happening, the server admin will never know that their server has been exploited and how much of the information has been leaked by the exploit.

Security researchers found out that an encryption technology SSL/TLS that helps in providing communication security and privacy over the network for various applications viz. web-based applications, email and VPN had this security flaw. This encryption technology that used to safely transmit e-commerce transactions, email, social networking data and other Internet traffic was affected by Heartbleed and this security flaw was enough for hackers to access user’s sensitive personal information.

This vulnerability allows anyone to steal the information which under normal circumstances is protected, by the SSL/TLS encryption. Therefore, attackers can steal a server’s digital key which is used to encrypt data and get easy access to an organization’s sensitive documents.

Security researchers also add that this newly discovered security vulnerability is extremely dangerous as it remained undiscovered for more than two years. However, Wolfgang Kandek, chief technology officer for Redwood City security company Qualys said that, it still remains unclear if hackers have taken advantage of the flaw to steal sensitive data from vulnerable sites.

Researchers at Codenomicon say that OpenSSL is used by two of the most widely used Web server software, Apache and nginx. This means a lot of internet sites would possibly have this vulnerability.

Kandek added, many affected websites will now have to have their encryption keys recertified as safe. That’s because even after fixing the flaw in their software, unsafe keys can easily allow hackers to steal sensitive personal information.

Moreover, every website / server / service admin, who uses OpenSSL should be concerned about this vulnerability as it breaks everything for which SSL encryption was deployed in the first place.

So what are the things, a user should consider?

• Change your passwords only after the affected online service provider has updated their servers in order to compensate for the Heartbleed vulnerability.
• Services which are affected are ought to be sending emails to users and informing them, that they were affected by Heartbleed and have since updated their servers.
• Only when you receive this update, change your password, otherwise it will not have the expected outcome.
• But, if the website has already been compromised, and it is still to fix its software then you should wait to change your password.
• If you are doubtful about a website’s status and whether it is compromised or not, you can check it by using Heartbleed Vulnerability test.
• As phishing attacks are continuously increasing, some hackers may provide you with links to change your password. To ensure complete safety, manually go to the website yourself, log in and then change your password.

Few tips for changing your password:

Deploy a Password Manager: Password managers try to solve that problem by helping you generate random passwords for each account.

Create unique passwords: Each website should have its own unique password. Password should be at least eight characters long. It should contain uppercase and lowercase letters numbers and symbols.

Enable dual-factor authentication: (Gmail is one service that does so) In addition to a password, the service requests for another identifying information, such as a code that’s been texted to you.

However, to check if your favorite online store/bank is compromised by the OpenSSL Heartbleed Bug, take the Heartbleed Vulnerability test by clicking here.

Last but not the least, for complete security of your personal data stored in your computing device and for uninterrupted computing experience install eScanTotal Security Suite with Cloud Security.

Share

Tweet

Share

Share

Share