Skip to main content

Heartbleed bug affects ‘almost everyone,’ expert warns

two apple airport base stations were vulnerable to heartbleed but have been patched bug

Experts say the Heartbleed OpenSSL bug — a flaw in the network software meant to protect your data — may have actually allowed hackers to steal the very data it’s meant to guard. Think you’re safe from this obscure bug in OpenSSL, whatever that is? Think again. One expert noted that “almost everyone” uses it. 

“Given that over half of the world’s webservers use Apache, and Apache uses OpenSSL, the majority of people are using applications built on top of OpenSSL on a regular basis,” explained Steve Pate, the Chief Architect at cloud services company HyTrust.

Related Videos

The Heartbleed bug is a security hole discovered in OpenSSL, widely used network software that encrypts the sensitive data you input into many popular websites. The flaw allows hackers to steal data directly from the memory chips of servers all over the world, and has been in existence for roughly two years. Jean Taggart, a Senior Security Researcher at Malwarebytes, which makes popular anti-malware software, described it as an easy way for crooks to invisibly sweep up your data.

MORE: What is the Heartbleed Bug?

“This vulnerability gives cyber criminals a method for collecting very sensitive information, like private encryption keys. If an adversary has extracted the private key through the Heartbleed vulnerability, they can impersonate the victim, and set up an undetectable man-in-the-middle attack,” Taggart said.

OpenSSL has a history of being vulnerable to attacks, Pate says, with the first flaw spotted by HyTrust back in May of 2009. However, Pate also notes that though OpenSSL 1.0.1 and 1.0.2-beta already have Heartbleed bug fixes available, if the affected versions are being used, the exploit may have already been used by hackers to swipe sensitive data.

 Taggart also explained that exterminating the security flaw will be no easy task.

“Fixing this bug will not be trivial, because even though security professionals can roll out an upgrade, many will not reset their certificates as this is a difficult and lengthy task. So if they were compromised prior to the announcement of the bug, their private keys might already be in the hands of adversaries, and their encrypted communications could be intercepted by third parties.”

MORE: Which websites are affected by the Heartbleed Bug?

Nathaniel Couper-Noles, a Principal Security Consultant at security firm Neohapsis, said that though there are workarounds and fixes available to combat Heartbleed, “the horse may already be out of the barn.”

“Many organizations aren’t instrumented to identify whether and where they’re vulnerable, the attack may leave no footprint discernable from legitimate traffic, and the consequences can potentially be long term,” Couper-Noles said. On top of that, Couper-Noles noted that there could be “hundreds or thousands of affected systems” across the world’s businesses.

At this point, changing your passwords is the best course of action you can take to protect yourself from the Heartbleed bug. On top of that, avoiding the webpages on this list of sites that are allegedly affected by the OpenSSL flaw is also highly recommended.

Image credit:

Editors' Recommendations

Canadian teen arrested for using the Heartbleed bug to steal taxpayer information
canadian teen charged using heartbleed steal taxpayer information bleeding heart 2

According to Reuters, the Royal Canadian Mounted Police has arrested Stephen Solis-Reyes, a 19-year-old London, Ontario resident, for stealing Canadian taxpayer information. Solis-Reyes allegedly used the infamous Heartbleed OpenSSL bug to pull off the thefts, and is charged with unauthorized use of a computer, and mischief in relation to data. This comes after the Canada Revenue Agency stated that roughly 900 Social Insurance Numbers, or SINs, were stolen after attacks on its website were conducted using Heartbleed.
"It is believed that Solis-Reyes was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug," the RCMP stated.
Solis-Reyes was apprehended at his residence in Ontario today, and authorities also extracted his computer equipment as well.
The Heartbleed bug allows hackers to send fake heartbeat messages, which can trick a website’s server into relaying data that’s stored in its memory. This includes sensitive information such as usernames, passwords, credit card numbers, emails, and more.
Multiple Internet security experts have expressed serious concern regarding the impact that Heartbleed could have. For instance, Mike Lloyd, the CTO of RedSeal, a network security firm, advised that people should “stop all transactions for a few days” once news of Heartbleed broke. In its efforts to combat the threat, the Canada Revenue Agency shut down its website on April 8, and didn't bring it back online until April 13.
Solis-Reyes is scheduled for a July 17 court date.

Read more
Heartbleed Bug claims 900 Canadian taxpayers as its first victims
cupid the new heartbleed attack method that affects android devices bug

In the days following the discovery of the Heartbleed bug, the Internet has gone from sheer panic to anger over allegations that the NSA used the vulnerability for intelligence purposes. Then there was the denial phase, which Cloudflare instigated by saying that the bug does not allow access to the private SSL keys of websites. Now we’re about to circle back to fear with news that attackers exploited the vulnerability to remove the Social Insurance Numbers (SIN) of hundreds of taxpayers from the registry of the Canada Revenue Agency (CRA). The SIN is a nine-digit number that is required to work in the country and receive government benefits; it's the Canadian version of U.S. Social Security Numbers.
According to a statement from CRA Commissioner Andrew Treusch, the agency shut down its online services on April 8. Its website went back online on April 13, after implementing a patch for the Heartbleed bug. 
“Regrettably, the CSA has been notified by the Government of Canada’s lead security agencies  of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to data, Social Insurance Numbers of approximately 900 taxpayers were removed from CRA systems by exploiting the Heartbleed vulnerability,” Treusch said. 
Aside from the SINs of taxpayers, other fragments of data that relate to businesses were also removed. The Royal Canadian Mounted Police (RCMP) is currently investigating the matter. 
To make it up to affected taxpayers, the CRA will provide credit protection services for free. It will also send registered mail to inform them of the breach, in hopes of side-stepping phishing schemes. The letter will contain a 1-800 number to help people protect their SINs.

Read more
OpenSSL Foundation president asks for more financial support in the wake of Heartbleed
openssl foundation president asks financial support wake heartbleed bleeding heart 2

If the organizations, companies, and governments that employ OpenSSL with their websites want to ensure that their sites stay secure from future threats like Heartbleed down the line, Steve Marquess, the president of the OpenSSL Software Foundation, asks that the entities which use OpenSSL donate more money towards its operations, the LA Times reports. Marquess made the case for additional funding in this blog post.
"While OpenSSL does 'belong to the people' it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support," Marquess wrote. "The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted."
Marquess specifically took members of the Fortune 1000, list to task in his note.
"I’m looking at you, Fortune 1000 companies. The ones who include OpenSSL in your firewall/appliance/cloud/financial/security products that you sell for profit, and/or who use it to secure your internal infrastructure and communications. The ones who don’t have to fund an in-house team of programmers to wrangle crypto code, and who then nag us for free consulting services when you can’t figure out how to use it. The ones who have never lifted a finger to contribute to the open source community that gave you this gift. You know who you are."
Marquess also names the U.S. Department of Defense in his note as an agency that could provide additional funding, calling an investment in OpenSSL a "no-brainer."
MORE: How to check if your favorite website is vulnerable to Heartbleed
OpenSSL is a data encryption method employed by many websites that safeguard the data you type into your Web browser. OpenSSL contains a function known as a heartbeat option. While a person is visiting a website that encrypts data using OpenSSL, his or her computer periodically sends and receives messages to check whether both his PC and the server on the other end are both still connected, following a pattern similar to a heartbeat. The Heartbleed bug means hackers can send fake heartbeat messages, which can trick a site’s server into relaying data that’s stored in its RAM — including sensitive information such as usernames, passwords, credit card numbers, emails, and more. This web comic also explains how Heartbleed works.
According to Marquess, the OpenSSL Foundation only pulls in about $2,000 per year in donations, with the rest of its funding coming in via support contracts it honors, where part-time technicians assist clients with problems that are specific to them. Overall, the OpenSSL Foundation has never surpassed $1 million in annual funding. On top of that, then OpenSSL is understaffed, according to Marquess, with the entire team consisting of a single full-time staff member, and a handful of part-timers.

Read more