'Heartbleed' Bug Has Everyone Worried, Here's Why
A newly discovered Internet security exploit dubbed "Heartbleed" has cybersecurity experts scrambling thanks to the implication that millions of usernames, passwords, credit cards, and other personal information have been vulnerable for more than two years.
Heartbleed was discovered earlier this week by Finnish security firm Codenomicon and the reason it has many experts calling it the worst bug yet is because it doesn't affect one site or one anything -- it affects much of the Web as we know it. According to Tatu Ylönen, inventor of SSH encryption and CEO of the SSH security protocol, two-thirds of the world's websites use OpenSSL 1.0, the encryption tool susceptible to Heartbleed.
"This is an extremely serious vulnerability in OpenSSL," Ylönen said in an email to eWeek.
"An attacker can use it to obtain the encryption keys used by a web site, allowing an attacker or spy agency to read all communications. It can practically be used to obtain the server private key used for securing the server and communications to it, essentially breaching the certificates used for protecting the web site, which in turn allows decrypting past sessions as well as performing man-in-the-middle attacks (including banking fraud and identity theft) in most cases."
"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)," Codenomicon wrote on Heartbleed.com.
Major companies such as Google, Yahoo, and Facebook have all stated that they were open to Heartbleed, but have implemented the proper fixes since. Twitter, on the other hand, reported that it was not vulnerable to Heartbleed. Even though the extent of the damage from Heartbleed is still unknown, Internet users are encouraged to change passwords to vital accounts containing personal information as that's all that can really be done at this point. The IRS has stated that it has not been affected by Heartbleed, so those who filed their taxes online need not worry (although Turbo Tax did report it was open to Heartbleed).
Another reason security experts are so worried about Heartbleed is because it went undetected for more than two years. Many believe that most hackers did not know about Heartbleed until it was ousted this week, but almost all are in agreement that until a proper postmortem is conducted, it's better to be safe than sorry.
Codenomicon tested Heartbleed from an attacker's perspective and seemed to find it easy enough to gain access to vital personal information.
"We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication," the security firm said.
Despite concrete details about Heartbleed's consequences, the message is clear: cybersecurity is no longer on the back burner and is more important to daily citizens' lives than ever before.