Tumblr users might have noticed a strange advisory appear at the top of their screens last week. The “friendly reminder” advised users that it might be a good time to change their passwords, and alluded to something called “Heartbleed.”
As it turns out, the bug, which compromises over two-thirds of websites on the Internet, has been reported as one of the worst security breaches in the history of the web.
According to the Executive Director of Seattle University’s Office of Information Technology Denis Gendron, the school has already taken measures to cope with the bug.
Ellucian, the company the university outsources its technological services to, informed OIT of the bug a week before the news of its existence started blowing up across news networks.
The company gave OIT the tools necessary to test IP addresses across campus for any vulnerability. OIT ran the scans over their normal services around campus, as well as an additional 122 other scans in the law school and library. They only found one point of vulnerability and dealt with it.
But what exactly is Heartbleed? According to a website recently created by Codenomicon, the Finnish Security firm that first discovered the bug, Heartbleed is a fault with the encryption used to protect information on the Internet.
This encryption software OpenSSL, is an extension of the Secure Sockets Layer (SSL) and Transport Layer Security (TSL) protocols. These systems are tasked with protecting most of the communication systems we use on the Internet, like instant messaging, email, and many other private services like banking.
By their numbers, the security firm estimates that 66 percent of Internet users will be affected by the leak.
Yahoo—which owns a number of sites, including Tumblr—reported that its systems had been compromised. It has fixed a number of website already, including Flickr, Tumblr, and the Yahoo main pages, but is still working to secure its other sites. Other sites affected include Pinterest, Instagram, and Google.
Basically, most communication on the internet—including usernames and passwords—is protected under OpenSSL encryption, and the new bug allows anyone to simply ask for the information through a loophole in the program and obtain sensitive information.
According to Codenomicon, the Heartbleed bug “Allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Essentially, it’s not good.
To make matters even worse, anonymous sources told Bloomberg that the National Security Agency has known about the bug for over two years and, in the interest of “national security, has been using it to gather critical intelligence.”
The article includes a statement by Shawn Turner, the director of public affairs for the agency, about the bug:
“This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”
According to the anonymous sources, however, the agency has been exploiting the bug since one of their thousands of hacking experts discovered it two years ago in order to access user passwords and information. This fact follows over a year of new discoveries about the agency’s nefarious spying activities on the American public.
At present, the Agency denies these claims.
So what can you, the average person, do to protect yourself against the bug?
Most experts advise that the average user look up one of the numerous sites that have been put up that display which sites have been affected. If you frequent those sites, check to see that they have updated their encryption software to deal with the bug.
If they have, change your password. If they haven’t, hold off—changing your password when others can still bypass the encryption technology won’t help.
Other than that, Gendron said, “there is not a thing in the world an average user can do to deal with
the bug.”