JMF Top Ten: Things to Know about the Heartbleed Bug
1. What is the Heartbleed Bug?
The Heartbleed Bug is a weakness in OpenSSL cryptographic software library. This flaw allows for information such as passwords to go unprotected from potential hacking threats. Versions of the OpenSSL software that are susceptible can allow anyone on the Internet to capture the memory of the systems using it.
CVE-20140160 is the reference to the Heartbleed Bug. According to Mitre.org, this particular Common Vulnerabilities and Exposure or CVE, CVE-2-14-0160, is “the (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.”
3. What’s the Big Heartbleed Bug Deal?
Webmasters are accustomed to dealing with hacks, viruses and security holes. So what makes the Heartbleed Bug so buzz-worthy? Besides the fact that its affecting a lot of websites, what makes this bug so dangerous is how easy it can be exploited. This security hole makes it incredibly easy for even lesser experienced people to corrupt and steal information like credit card numbers, emails and more.
4. This Is Not New
The Heartbleed Bug has been around since December 2011. However, because the code error was small, it wasn’t as widely discovered or talked about till now.
5. You Are Limited in Protecting Yourself as an End User
According to heartbleed.com, a site dedicated to information about the bug and how to fix it, “Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.” The fix they are referring to it Fixed OpenSSL, a more improved version of the vulnerable server OpenSSL.
6. It Doesn’t Affect Just Social Networks
Yes, your Facebook, Instagram, Tumblr and Pinterest might/will be affected and are in need of a password change. However, a password change for programs and accounts such as Wunderlist, SoundCloud, OKCupid, USAA, and GoDaddy are strongly suggested. The same can be said for email accounts Gmail and Yahoo as well.
7. Not All Accounts are Affected
LinkedIn or Twitter, for instance, are safe.
8. Changing Your Password is Not Enough
Servers must be patched on each service you use to somewhat combat this bug. Changing your password alone cannot fix it. Also, keep in mind that changing your password might be pointless if the sites you are using are being run with OpenSSL.
9. Heartbleed Was Not Made Maliciously
It was an error in coding in OpenSSL. However, because about 66% of the internet uses Open SSL, hackers were able to use the bug to their advantage in a malicious manner.
10. The Damage is Done
Changing a password and updating OpenSSL can perhaps prevent the Heartbleed bug from getting into your system, but it won’t solve any damage that has already occurred to your site. You also cannot tell if anyone dodged the vulnerability in past instances.
The integrity of our clients’ websites is of the uptmost importance to us. Our talented team of developers and programmers has been efficiently and quickly securing any potential threats and patching all security holes in an effort to prevent any damage. If you have any questions regarding our web services, contact us today!