Heartbleed bug: Everything you need to know

As the Heartbleed bug continues to wreak havoc across the internet, here's our roundup of everything you need to know about it

Since news of Heartbleed OpenSSL vulnerability broke at the start of April, web sites across the globe have taken steps to shore up their defences against it.

Meanwhile, web users have found themselves on the receiving end of conflicting advice about whether they should take action and change their passwords or do nothing and wait for the internet service provider community to sort things out.

In some cases, end users are being urged to change their passwords anyway, but - perhaps - without really understanding what it is they're taking action against.

Here, we run through the information that has been documented about Heartbleed to date to help inform your response to the debacle.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

What is Heartbleed?

Heartbleed is a vulnerability that security researchers uncovered within the popular OpenSSL crytographic software library, which could be used by hackers to eavesdrop on web users' internet activities.

Security group Codonomicon tested the vulnerability and discovered it could be used to steal user names, passwords, emails, instant messages and other documents without leaving a trace.

How does it work?

The Heartbleed affects the integrity of the SSL/TLS encryption used to secure internet services and transactions.

Its origins relate to a programming mistake in the heartbeat extension of OpenSSL, which mistakenly provides access to 64KB of memory that could be seized on by hackers to scrape vulnerable data, 64KB at a time.

Advertisement - Article continues below

How long has the flaw been known about?

Reports about its existence emerged at the start of April 2014, but security researchers claim the flaw may have existed for around two years.

Who is affected?

OpenSSL is widely used to secure online connections, and to underpin the security of web servers, email programs, VPNs and chat services.

Advertisement
Advertisement - Article continues below

For this reason, the Heartbleed saga has the potential to run and run, according to Yogi Chandiramani, director of systems engineering at network security company FireEye.

This is because its effects are likely to be far more wide-reaching than many seem to appeciate at the moment, he told IT Pro.

Advertisement - Article continues below

"There has been a lot of reaction from the security industry [to Heartbleed] and a lot of organisation. It's been very impressive to see how websites have updated their certifications and so on... but that's only - I believe - the tip of the iceberg.

"SSL is not just used for connecting to financial services, online payment and retail and so on, it's also used a lot internally and therefore [Heartbleed] could be leverage internally as a bug in internal applications, such as internal ERP apps, internal ticketing systems and even when managing devices," he explained.

Has there been any reports of Heartbleed being exploited to date?

Parenting advice forum Mumsnet confirmed that it had fallen victim to the vulnerability, despite rolling out a fix for it shortly after news of Heartbleed came to light.

Hackers seized on the flaw to post messages purportedly from Mumsnet CEO Justine Roberts that derided its members, and declared the site was being put up for sale.

The Canada Revenue Agency recently announced that 900 social insurance numbers, amongst other data, had been compromised by an attack on its site brought about by the OpenSSL flaw.

Advertisement - Article continues below

A 19-year-old man was arrested and charged in connection with exploiting Heartbleed to carry out the data theft on 17 April.

What can I do to protect myself and my organisation?

Advertisement
Advertisement - Article continues below

A fix for OpenSSL has been released, and widely deployed by website owners and vendors, so an element of protection against it has already been taken care of on behalf of end users.

As reported by IT Pro, the OpenBSD Foundation has also started work on a new, forked version of OpenSSL (dubbed LibreSSL) to help safeguard users and the sites they use against similar problems in the future.

Further to that, many sites are advising users to reset their passwords just in case hackers have pilfered their data before a fix was issued for use at a later date.

This is precisely what happened in the case of Mumsnet. The site successfully patched the OpenSSL vulnerability on 9 April, but hackers used data obtained before it was applied to make fraudulent posts.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/354584/windows-10-and-the-tools-for-agile-working
Sponsored

Windows 10 and the tools for agile working

20 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020