Heartbleed is a bug in OpenSSL, a technology used by Internet services to encrypt and keep user data secure. OpenSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Modern Web security relies heavily on these two protocols. The “Heartbleed” bug was first reported on Monday April 7th. It allows anyone with Internet access to read small pieces of memory from the systems using OpenSSL. Using this vulnerability, the attacker can get 64KB of memory from the server. This can be repeated many times, and with each try, the attacker can get a random 64KB piece of memory from the server. What this means is that the attacker can obtain virtually anything that’s in the server’s memory, including usernames, passwords, and SSL private keys. This is a major security risk.
Leaked private keys allow the attacker to decrypt any past and future traffic to the protected services, and impersonate the service at will. Any protection given by the encryption and the signatures in the certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even after going through these processes, the bug will leave any traffic intercepted by the attacker in the past still vulnerable to decryption.
This vulnerable code was introduced in OpenSSL in version 1.0.1 which was released in March 2012, which means that potentially some attackers have been eavesdropping SSL encrypted communications ever since. OpenSSL is used by some of the most popular server software such as Apache and nginx whose combined market share is over 66 percent, which makes this potentially a global problem.
It is impossible to know if you were ever a victim of this attack because it does not leave traces. The logs on the server will not show any malicious activity. You can however test and see if a site is vulnerable to this bug using one of these tools:
The bug mainly creates problems on Web and email servers, where system administrators should update to a version OpenSSL 1.0.1g or newer. PCs, Macs and mobile devices are not directly affected and antivirus software cannot help with Heartbleed.
There are a few things that every Internet user should do. Consider changing your passwords on your Yahoo, Flickr, and Tumblr accounts as security researchers were able to get usernames and passwords out of Yahoo’s servers using this bug right after it become public. Also, consider changing your Google, Facebook and Dropbox accounts as they also confirmed that those were vulnerable to this bug. There isn’t any news about people getting their accounts within these services hacked, but since this attack leaves no traces, there is a chance some of them were compromised.
On the bright side, most servers that run Microsoft software weren’t affected by Heartbleed, as well as plenty of other sites, including Apple, Amazon, eBay, PayPal and most major banks.
By: Mite Tashev