Wednesday, April 23, 2014

What is Heartbleed?



Over the past few weeks there has been a lot of talk about Heartbleed and the potential dangers it poses to anyone with an online presence.

There are many questions that have been posed to us such as;

“Will I need to update my antivirus?”
“Should I log in to my online banking?”
“When is it safe to venture back online?”

In this blog we will be debunking the myths and supplying you with what you need to know to stay safe and secure from Heartbleed.

Heartbleed, a brief story

To understand Heartbleed, we need to take a look at the software it affects. Heartbleed affects a piece of software known as OpenSSL. OpenSSL is security based software that is used on many popular servers such as Google. With OpenSSL, websites are able encrypt information sent to and from their visitors. So when you login to a site and provide your username and password, this information is encrypted using OpenSSL and sent to the server so that other users can’t snoop on your personal data.

OpenSSL is open source, which means that exceptionally talented individual software engineers volunteer to help the internet community by developing and improving upon it. When version 1.0.1 of OpenSSL was released in April 19th of 2012, a bug was introduced (a mistake made by a software engineer that has un-desired results). This bug came to be known as Heartbleed.

How Heartbleed affects the server?

When you access to a website, the website sends a response back to you to let you know that it is active and listening for requests. This is known as a heartbeat. The server also sets aside a block of memory for you to use during your time on the website. When you send a request from your computer, the heartbeat from the server will only send back the amount required for your request. So when you click "login", the server will send back only the data necessary to complete the login, storing any necessary information into your block of memory.

However, with servers affected by Heartbleed, hackers can request more than the data they sent, meaning they can retrieve more data back then what is in their own block of memory. This gives them the potential to obtain other peoples’ data.

What might be in this data? It could be anything from login credentials, cookies and other data, depending on the server affected and how it is set up.

So what should you do to keep safe?

Well, it turns out that the number of servers actually affected by Heartbleed is lower than first thought. This is because Heartbleed only affects servers with OpenSSL 1.0.1 – any older versions do not have the “Heartbeat” feature and the newer version – 1.0.1g – has had the bug fixed.

So should you worry? We think you should be more wary of your data, but don’t panic. You should change your passwords for the services that have been affected by Heartbleed. Services such as Google and Yahoo have emailed their users and informed them that they were affected by this bug. You should look out for other incoming emails from services that confirm if they have been affected and change your passwords for them too. There are services that allow you to manage all of your passwords in one place, such as LastPass or 1Password if (like me) you have trouble remembering all those passwords.

Have hackers been exploiting this?

There’s nothing to suggest that hackers knew of and have been actively using this bug, but that is not to say that they haven’t. The above suggestions are a precaution, now that Heartbleed is known more people will attempt to exploit servers that haven’t been updated yet.

What devices does this affect?

This can affect any device, your mobile phone, tablets, anything. The problem isn’t your device, but the server you are connecting to.

What about Rocktime?

The vast majority of our servers are Windows Servers, which use different encryption software, so these aren’t affected. Our Linux server has been updated with the latest OpenSSL which removes the Heartbleed bug.

If you would like to learn more about this subject or about any other technical challenges you are facing, feel free to contact our Digital Consultants.

Author: Jay Martin-Smith

0 comments:

Post a comment