I’ve heard of the Heartbleed Bug, but what is it & why should I be worried?

Due to Easter being next week, I’ll post next week’s blog this week. Hope you have a very Happy Easter!

Lately in the news, you’ve probably heard of the Heartbleed bug and that you should change all passwords. However, how many of you actually know what it is?

The Heartbleed bug (I love people who give these things names!) is a bug within what they call OpenSSL or a variant of SSL/TLS. I can see most of you go – huh and what is THAT? I teach people who are beginners at computers and they will be full of questions about this bug, and I’m going to taken it from a beginner’s point of view – or at least try.

Heartbleed Bug

Heartbleed bug explained

As we know, or those of you who attend my classes, the internet is based upon connected networks that work on rules or protocols. Think of it like our road networks – we all must stay on the road and within the rules set out in each country. Well the OpenSSL, a variant of SSL/TLS, is a collective effort of a group of developers and programmers to develop a robust, commercial-grade, full-featured, and software that can be freely used, changed, and shared (in modified or unmodified form) by anyone that is in a toolkit form. It implements 2 different protocols –  the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1), which is why OpenSSL is a variant of these – with an general purpose cryptography library. Again using the road rules example, think of the group that came up with the road rules – they have come up with different rules for your car and ones for commercial trucks haven’t they? They both still share the same road rules but go about the differently and you can buy or source the books from the same area. And because of these protocols being open, someone or a group of someone’s out there have then the road rules and have modified them and/or exploited areas which were open but no one knew about them and they are now using this area to access information, like passwords, without anyone’s knowledge. This is what the Heartbleed bug is.

SSL Heartbleed picked up

How can we protect ourselves?

If you read my explanation above, this is why IT people have suggested to change ALL passwords, as they don’t know what companies and programs are at risk. Be aware people run on habits – usually people use the same password on all accounts, so even if a system hasn’t been compromised, if you belong to just 1 system that has been compromised, the person or group of persons, know we are people have habits and will try the password they have on other sites or equipment that use these protocols or rules to try and gain access. This is the reasoning behind the call out to change your passwords.

As I have been reading up on the bug, I have found now they are saying ANYTHING, and I mean ANYTHING, that connects to the internet or WiFi enabled – like Blu-ray players, Android OS, TVs, XBoxes, AppleTV, WD TV, routers, modems just to name a few – probably uses these types of protocols, so you should change any passwords associated with them as well.

Most IT people heard about this, as we do try and stay current, as soon as it was whispered about and looked into it then. Chances are what you have been using for websites have been fixed or in the process of being fixed by using what we call a patch.  Think of a patch as a bicycle tire and putting a patch on a leak. The tire was working fine and the patch just goes on the tire over the problem. A programming patch is the same thing but only using software instead.

To test a website you can use this “Test your server for heartbleed” link. Just be aware that this could be tricky. For instance, our website is http://members.ozemail.com.au/~chisel ; however, since the parent company is iinet.net.au, it did not show as being fixed but is fixed because of the parent company. One company could have many sections to it but this service might not pick it up.

Here’s a list from of websites who have been working on the problem from Mashable.

This Heartbleed Bug is new right?

Actually, this bug has been around 2 years, but has just been discovered. Its probably someone new coming in and reading the code and finding the problem and alerting people to it is where it came from. Remember, this is open and free software, so it could have been anyone.

What about Australia?

For Australia, Yahoo7 is report in the article “Aussie sites affected by Heartbleed bug” the following services might have been affected:

  • GE Money is recommending customers change their passwords
  • Myer Visa Card and Myer Card websites have been affected- Myer said in a statement that it was “confident” customers had been protected from the security flaw
  • Coles Mastercard website have been affected
  • routers, switches and firewalls
  • Cisco Systems and Juniper Networks & other companies which make similar products
  • home automation, such as smart thermostats, security and lighting system

With the websites, a user would never have known if there was a problem or not because these protocols work between 2 programs like internet explorer talking to each other and the user doesn’t know what’s happening or transferring. Usually these transfers are not a problem because of the protocols which are in place to protect you; however, this time the safe guard that is there wasn’t completely helping you.

In conclusion, make sure all equipment attached to a network – any network – has been updated. Also, look and see if anything (just click around do not change anything unless you know what you are doing) and see if you see SSL or TLS and look and see if its being used. If it is, you need to make sure the software has been updated recently AND then change your password – just to be on the safe side. If you have done all of these things, then you will be fine.

Surf’s up!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s