News of the so-called Heartbleed bug made the rounds last week. I received a message from a friend asking, “Why didn’t you warn me about this?” So I had better respond.
Unlike, say, the Target breach, this one was steeped in tech lingo that made understanding it a bit of a project. So let’s walk through what happened and how it affects the average user.
1. What happened? In the most laymen-friendly language possible, it’s important to understand that there is a huge library of common code that is free to use for any software developer or technology vendor. Almost everyone borrows from this code to apply common-standard encryption to their websites, applications, and so on. In an attempt to make some common functions faster, an error was made in the coding process. It was so mundane and trivial that no one caught it -- for over two years. The flaw itself is related to the “lock” icon that users see on the address bar when visiting a secure website. To keep things in laymen’s terms, that lock was not quite locked. Now it has been identified and the software fixes (i.e., patches) are available, but users are reliant upon the server operators to implement the fixes. With an estimated 70% of websites possibly vulnerable, some operators will inevitably lag behind.
2. What was the damage? This is the most interesting part. No one really knows because exploiting this particular vulnerability leaves absolutely zero traces of evidence behind. Have hackers been abusing this for years but keeping quiet about it? (Probably not - the government and other organizations usually do a good job of patrolling the underground communities and discovering these things, so it would likely have been a very small, independent number of people exploiting it to keep it covered up.) However, now that it is public, it’s a race - the ISP’s and vendors need to patch their software before the bad guys abuse this software bug. Any reputable website has already done so by now, but there are plenty that will procrastinate.
3. Other thoughts. This problem is huge, but the bad guys could only steal random slices of data. Yes, it was unencrypted and that is very bad, but they could not specifically seek out profitable information like usernames and passwords, meaning that they will have to wade through a lot of useless data to mine the useful stuff.
4. What can I do/Am I safe? Changing passwords is a good practice in all cases. Heartbleed should motivate everyone to consider doing so.There are also third-party tools (such as Chromebleed) that alert users if a website was ever vulnerable to the Heartbleed bug, and whether or not it has been patched. Additionally, many sites have issued statements or notifications regarding their status - any who refuse to do so should be regarded as possibly at risk.
5. Conclusion. In the coming weeks, we will find out what the damage is. The good news is that many banks and financial institutions rely more heavily on proprietary code, so they are more likely to be safe, but time will tell as far as the rest of the damage is concerned. Recovery will be a multi-step process: First patching the hole, then obtaining new security certificates to prevent already-stolen passwords from being continually used. Personally, I think the good guys caught it before the bad guys did, so damage may be minimal, but there will still be a ton of laggards that will act as a Beta site for cybercriminal activities. Stay tuned.