Heartbleed bug: Everything you need to know

As the Heartbleed bug continues to wreak havoc across the internet, here's our roundup of everything you need to know about it

Since news of Heartbleed OpenSSL vulnerability broke at the start of April, web sites across the globe have taken steps to shore up their defences against it.

Meanwhile, web users have found themselves on the receiving end of conflicting advice about whether they should take action and change their passwords or do nothing and wait for the internet service provider community to sort things out.

In some cases, end users are being urged to change their passwords anyway, but - perhaps - without really understanding what it is they're taking action against.

Here, we run through the information that has been documented about Heartbleed to date to help inform your response to the debacle.

What is Heartbleed?

Heartbleed is a vulnerability that security researchers uncovered within the popular OpenSSL crytographic software library, which could be used by hackers to eavesdrop on web users' internet activities.

Security group Codonomicon tested the vulnerability and discovered it could be used to steal user names, passwords, emails, instant messages and other documents without leaving a trace.

How does it work?

The Heartbleed affects the integrity of the SSL/TLS encryption used to secure internet services and transactions.

Its origins relate to a programming mistake in the heartbeat extension of OpenSSL, which mistakenly provides access to 64KB of memory that could be seized on by hackers to scrape vulnerable data, 64KB at a time.

How long has the flaw been known about?

Reports about its existence emerged at the start of April 2014, but security researchers claim the flaw may have existed for around two years.

Who is affected?

OpenSSL is widely used to secure online connections, and to underpin the security of web servers, email programs, VPNs and chat services.

For this reason, the Heartbleed saga has the potential to run and run, according to Yogi Chandiramani, director of systems engineering at network security company FireEye.

This is because its effects are likely to be far more wide-reaching than many seem to appeciate at the moment, he told IT Pro.

"There has been a lot of reaction from the security industry [to Heartbleed] and a lot of organisation. It's been very impressive to see how websites have updated their certifications and so on... but that's only - I believe - the tip of the iceberg.

"SSL is not just used for connecting to financial services, online payment and retail and so on, it's also used a lot internally and therefore [Heartbleed] could be leverage internally as a bug in internal applications, such as internal ERP apps, internal ticketing systems and even when managing devices," he explained.

Has there been any reports of Heartbleed being exploited to date?

Parenting advice forum Mumsnet confirmed that it had fallen victim to the vulnerability, despite rolling out a fix for it shortly after news of Heartbleed came to light.

Hackers seized on the flaw to post messages purportedly from Mumsnet CEO Justine Roberts that derided its members, and declared the site was being put up for sale.

The Canada Revenue Agency recently announced that 900 social insurance numbers, amongst other data, had been compromised by an attack on its site brought about by the OpenSSL flaw.

A 19-year-old man was arrested and charged in connection with exploiting Heartbleed to carry out the data theft on 17 April.

What can I do to protect myself and my organisation?

A fix for OpenSSL has been released, and widely deployed by website owners and vendors, so an element of protection against it has already been taken care of on behalf of end users.

As reported by IT Pro, the OpenBSD Foundation has also started work on a new, forked version of OpenSSL (dubbed LibreSSL) to help safeguard users and the sites they use against similar problems in the future.

Further to that, many sites are advising users to reset their passwords just in case hackers have pilfered their data before a fix was issued for use at a later date.

This is precisely what happened in the case of Mumsnet. The site successfully patched the OpenSSL vulnerability on 9 April, but hackers used data obtained before it was applied to make fraudulent posts.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

8 of the most secure web browsers
web browser

8 of the most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google removes 17 apps infected with evasive ‘Joker’ malware
malware

Google removes 17 apps infected with evasive ‘Joker’ malware

28 Sep 2020