The 3 Things You Need to Know About the Heartbleed Bug

There has been a lot of urgent information circulating about the Heartbleed security bug (which some are mistakenly calling the “Heartbeat bug”) this week. But then you hear that the Heartbleed bug has been around for two years, and suddenly find yourself wondering why all the hype? Here are the three things that you need to know about the Heartbleed bug, and what you need to do about it.

1. The Heartbleed bug needs to be taken seriously even though it has been around for two years

Without getting too technical, and simply put, the Heartbleed bug is a vulnerability in the OpenSSL library. SSL stands for ‘Secure Sockets Layer’, and it provides a cryptographic ‘layer’ to provide security to Internet communications. The Heartbleed security bug makes servers that are running affected versions of OpenSSL vulnerable to leaking things from the server memory, including things like passwords.

OpenSSL is widely deployed, which means that the Heartbleed bug vulnerability has existed on many, many sites around the world, including many large and well-known sites and services.

heartbleed bug openssl

There are two primary reasons why you should worry about this now even though the Heartbleed vulnerability has been around for two years.

A. If at any time in the past two years your data was leaked or breached, that means that any passwords that you have had set up on any site that is or was vulnerable need to be changed now. This is because your credentials, including your usernames and passwords, could at this very moment be being traded or sold.

You will also want to check (see below) to determine whether any of those services and sites are still vulnerable, because if so then changing your password now will do little good until they patch the hole. Be sure to contact any site that you use that is currently vulnerable to the Heartbleed bug.

B. With the sudden massive news exposure the Heartbleed bug is getting, hackers are now doing a lot more probing and testing of sites to see if they are vulnerable. So a site that may have been vulnerable, but unexploited, for the past two years, may now be discovered as the hackers have come out of the woodwork to look for and exploit this bug.

2. You need to change your passwords if you have any doubt – especially at sites that have your financial or other personal or private information

All sorts of service sites, including Amazon and Netflix, were vulnerable, and only got patched (fixed) this week.

ISPs and email providers, such as Google and Yahoo, were also vulnerable.

Moreover, the Heartbleed bug was found in widely-used networking hardware such as Cisco routers and Juniper networking hardware, which means that any number of servers in companies of any size are vulnerable.

So how can you possibly know where you need to change your passwords? This brings us to point number three.

3. Many sites are still vulnerable – you need to check for yourself whether the sites and services you use are vulnerable

There are now several places where you can test to determine whether a site is vulnerable to the Heartbleed bug.

The one that we like best is the one that The Atlantic has called “industrial strength”. The main reasons that we like it best that a) so far it has not thrown any errors, and b) it is the most comprehensive. That is the Heartbleed test at SSL Labs.

heartbleed test

Two other places that are offering tests to see if a given site is vulnerable to the Heartbleed bug are the Heartbleed test at Filippo.io, and the Heartbleed test as LastPass.

If you find a site that is still vulnerable, please let us know in a comment.

31
Get notified of new Internet Patrol articles!
Summary
The 3 Things You Need to Know About the Heartbleed Bug
Article Name
The 3 Things You Need to Know About the Heartbleed Bug
Description
There has been a lot of urgent information circulating about the Heartbleed security bug this week. Here are the three things that you need to know about the Heartbleed bug, and what you need to do about it.
Author

2 Replies to “The 3 Things You Need to Know About the Heartbleed Bug”

  1. When I heard about this thing, I knew there was one source of accurate, succinct, and actionable information: The Internet Patrol. Thanks for the test link, and the (predictable) BoA scorecard. News you can use. Kudos, Anne.

  2. The Bank of America website, all 3 servers, received a failing grade on the SSL security test:

    Server Domain(s) Test time Grade
    1 171.161.199.100
    Ready
    bofa.com
    Mon Apr 14 11:25:02 UTC 2014
    Duration: 32.588 sec
    F
    2 171.161.203.100
    Ready
    bofa.com
    Mon Apr 14 11:25:34 UTC 2014
    Duration: 32.429 sec
    F
    3 171.161.202.100
    Ready
    bofa.com
    http://www.bofa.com

    Mon Apr 14 11:26:07 UTC 2014
    Duration: 32.530 sec
    F

Leave a Reply

Your email address will not be published. Required fields are marked *