The word “Heartbleed” meant nothing at the start of the week. Today it is one of the hottest topics on the Internet — a simple security bug in an obscure piece of software that could compromise the personal information of millions. And while the Internet’s biggest companies scramble to fix the problem, users had better get ready to upgrade their own security practices.
“It’s not an academic exercise,” said Trey Ford, global security strategist at network security firm Rapid7 LLC in Boston. “I think this is a really big deal.”
So big that Ford thinks people should take a time out from online retailers, financial services sites, or online destinations that require entering sensitive information — names, addresses, credit card numbers. “I probably wouldn’t log into those for a couple of days or so,” he said.
To Ford, this isn’t another exaggerated Internet scare. Heartbleed really is that bad. But what is it?
Heartbleed is a bug that was accidentally added to a vital piece of software called OpenSSL, which secures thousands of Internet sites worldwide. OpenSSL software is built into Apache, the server software used by about two-thirds of the world’s websites to deliver Web pages to your computer. It sets up an encrypted data channel between your machine and the remote server. When it’s working properly, data traveling between the two machines looks like gibberish except to the authorized computers, which have keys for decoding the information.
OpenSSL is vital to Internet commerce, making it safe to move financial information online. But in 2012, during a software upgrade, someone wrote a bit of bad code that makes it possible to read unencrypted information from the memory of the remote server. This can include the encryption keys needed to decode the data stream, and e-mails, financial data, phone numbers — pretty much anything.
A security engineer at Google Inc. and a team of researchers at Finnish security company Codenomicon Ltd. uncovered the problem and raised the alarm on Monday. In the process, they kicked off an online panic that is quite justified.
OpenSSL “is at the cornerstone of trust on the Internet,” said Ford. It’s not just buying and selling. For instance, Internet e-mail services such as Yahoo Mail use OpenSSL to ensure the confidentiality of personal messages. So much for that: A security researcher was able to steal a Yahoo username and password from the company’s servers by using the Heartbleed trick.
Yahoo says it has fixed the problem on its servers. Meanwhile, other major Internet companies are also offering reassurances. I pinged Amazon.com, Facebook, tax preparation company Intuit Inc., and the Internal Revenue Service. All replied that their computers are not vulnerable to the Heartbleed problem.
But before you relax, consider that this bug was introduced two years ago. All this time, our “secure” data has been vulnerable. If some criminal gang had exploited the bug, I think we’d recognize them by a trail of emptied bank accounts, so this probably hasn’t happened. But if you worked at a spy shop like the National Security Agency or China’s Ministry of State Security, you’d be dead quiet about this handy little exploit. Instead, you’d use it to quietly scoop up intelligence on carefully selected targets.
Has this happened? Who knows? Exploiting a security flaw will often leave traces behind; you’ll know you’ve been hit, even if you can’t do anything about it.
But Heartbleed doesn’t leave a mark. Our passwords and personal data may already have been leaked out, scooped up, and filed away. Or not. It’s impossible to be sure.
Which is why Ford and other security analysts say there’s only one thing to do — change your passwords. Every last one, or at least every one that logs you onto financial, shopping, or social networking sites, the places where you share sensitive information. It’s also a good idea to delete all cookies from such sites.
But even this won’t protect you unless the sites you visit have upgraded their own software. Log onto a Heartbleed-affected server, and your new password could be as compromised as the old one. So Ford recommends taking your time. “Wait a day or two,” he said, “and then start changing passwords.”
In the early days of the Internet, global security scares came like clockwork; the Melissa virus of 1999, the I Love You virus of 2000 or 2001’s Code Red attack. Today the Internet is less vulnerable to sabotage. But as Heartbleed proves, there will never be a cure for carelessness.Hiawatha Bray can be reached at firstname.lastname@example.org. Follow him on Twitter @GlobeTechLab.