As far as internet security is concerned, you are as secure as your weakest link. Hackers are continually looking for loopholes in Content Management Systems, Operating Systems, Web Applications and Databases. The latest loophole that poses great danger to the internet user is what has been christened, the heartbleed bug.
The heartbleed bug was discovered only couples of days ago and by the time of its discovery by security experts, at least 66% of internet users using the OpenSSL were reportedly affected. OpenSSL is a very popular encryption standard and it is in fact the defacto encryption standard for many applications. Hackers have exploited the loophole in the OpenSSL that allows extraction of massive loads of data from the normal day to day services that users often assume are secure enough.
The Heartbleed bug gives anyone an opportunity to compromise private keys and this can be used to steal the website traffic, the database of the customer or other sensitive business documents. The bug is really dangerous since it manages to achieve all this and more without leaving a trace.
What loophole does Heartbleed bug exploit?
The exploit can be blamed on a weakness in the OpenSSL standard for encryption. This encryption standard is used by many websites for transmission of data that the users want to transmit securely. Typically, this encryption provides a secure connection when one is sending an email message or when sending an instant message via online chat software. Encryption mainly works by making the data sent appear like some nonsensical clutter to anybody else except the intended recipient.
For the connection to be sustained, one of the nodes often sends out a data packet to the other node to ensure the connection is still active. This data packet is what is referred to as a heartbeat. This is the loophole that hackers have exploited since it is possible to send a packet that is disguised as a heartbeat with the principal aim of tricking the computer into sending data that is stored in memory.
To avoid losing your important data, it is highly recommended that you reset all passwords to your online accounts. However, you should only reset your password if the heartbleed bug has been fixed on the website otherwise, resetting the password may not yield results. Examples of websites that have been patched include:
- Google, YouTube and Gmail
- Yahoo, Yahoo Mail, Tumblr, Flickr
The sites in question say that it is safe and highly recommended that you reset your passwords for the above websites. Apple and American Express are yet to patch the bug so don’t reset your passwords jut yet- unless you get confirmation of the patch. If you want to check to see if a website has been patched for yourself there are numerous websites such as Qualsys.
As we have already seen, the heartbleed bug only affects websites that use the OpenSSL encryption. This means that not all websites were affected. Examples of websites that were not affected include:
You therefore don’t need to reset your password for the above websites.
When resetting your passwords, make sure you have used strong passwords to enhance your online security. A strong password is at least 8 characters long and it is a combination of letters, numbers, special characters and lower-case and upper case letters.