Don't Panic! Heartbleed bug Explained
I suspect most of you will have been bombarded this week with stories from the media on how the Heartbleed bug is going to cause the downfall of the internet. Every criminal out there will have all your passwords, credit card numbers, shoe size, and the name of your first pet.
So should you be panicking and disabling every online account you’ve ever created, in preparation for a life cut off from civilisation as we know it?
Er, no. Don’t get me wrong, Heartbleed is a massive flaw in the internet and shouldn’t have happened. But, there’s been a lot of confusion within the reports, some screaming ‘CHANGE YOUR PASSWORDS NOW OR RISK EVERYTHING’. And some have indicated that changing your passwords won’t do a thing.
Here’s what the Heartbleed bug actually is and I’ve included some tips at the end of this blog on what actions you should consider taking:
Heartbleed is a bug in one specific application (OpenSSL), that can allow an attacker to retrieve a small amount of random data which may contain usernames, passwords or credit card data.
The key word here is random. You may get some data back when using the Heartbleed bug, you may not. This data may hold useable information, it may not.
This next bit may get a little complicated but I’ll do my best to keep it simple, (but by all means grab a cuppa…!) Ready? Here goes……
OpenSSL is an application used to encrypt traffic between your web browser and a web server. It does this to prevent people listening in on whatever information you’re sending or receiving to that website - be it an order from Amazon or your shopping from Sainsburys.
It’s what makes that padlock appear in the address bar of your browser, telling you that you’re secure.
As you move around these secure sites, a way of keeping this secure connection up and running is required. So a message called a ‘Heartbeat’ is sent periodically, basically to say to the server “Hey, I’m still here!”. Within this message is a string of text, set by your browser (if you want to know why have a look at http://tools.ietf.org/html/draft-ietf-tls-dtls-heartbeat-04 - it’s very comprehensive and technical though!)
This is where the bug comes from. Basically, the heartbeat message goes something like this “HEARTBEAT, sending 5 characters, HELLO”, the server will then reply “roger that, 5 characters, HELLO”.
However, the server doesn’t check to see you sent 5 characters, it just sends back the last 5 characters it received which SHOULD be the message you sent.
So, if you decide not to play by the rules and send a heartbeat message like “HEARTBEAT, sending 2000 characters, THIEF”, you will get back an answer like “Roger that, 2000 characters.....” and it will start sending you the next 2000 characters from memory, starting from wherever your THIEF message was stored.
This could be anything - passwords, credit card numbers, a short story, pictures of cute little kittens. It’s random, but as each time you do this you will get a different random section of data. And if you do it long enough, you’re likely to get something interesting.
Now all that is said, do we need to panic?
There's no need to panic, but you do need to be prepared and aware.
OpenSSL is generally only used on Linux based systems, so the majority of your work network is not likely to be affected. If you are a TSG SystemCare customer, then the systems that are affected (some firewall systems) have already been patched to resolve the issue.
The thing to look out for, is any website that you frequently use that may have been affected (a good site checker is at https://lastpass.com/heartbleed/).
So what now? 3 key tips
- If you use a site that has been affected, change your password, but only once it has been fixed. There is no point resetting your passwords twice.
- Beware of password reset emails. Unfortunately scaremongering is a favourite tactic amongst hackers, so many will have taken advantage of all the hype and sent phishing emails, trying to get you to change your password in order to grab your details. Never click on a link in an email to reset your password unless you requested it. Instead, type the address in your address bar yourself.
- Consider investing the time to start using a password manager. This will mean you can use unique passwords on each website you use, so if someone gets your Hotmail password, it’s not the same as your Facebook account. Watch this space for a blog post on this topic soon...