When I first heard about the Heartbleed virus yesterday morning, I brushed it off thinking, “Pshh. I’m young and healthy. I shouldn’t be worried about any heart virus.” So you can imagine it was a surprise to later learn that Hearbleed is indeed not a virus of the human heart, but rather a code bug that spawned the largest internet security breach in over a decade.
The online world was rocked Wednesday when a major vulnerability in more than 500,000 web servers across the world was made public. Called the “Heartbleed Bug,” the vulnerability was found in the web’s OpenSSL code – a framework used by millions of sites to secure online transactions and keep customers’ personal data out of harm’s way.
The worst part? The vulnerability has actually been around since 2011. And while it may not have been common knowledge until this week, that doesn’t mean attackers didn’t take advantage of it years ago.
What Exactly is Heartbleed?
To understand was Heartbleed is, you first have to have a grasp of SSL technology. SSL, or Secure Socket Layer, is an open source code used by millions of websites and web servers to store data and ensure that data is secure and safe from harm. It is used on virtually any site that accepts payments, allows you to purchase things or has you log into an account. For more than a decade, it’s been the industry standard for keeping online data and personal information secure.
The Heartbleed bug is a flaw in the SSL code, one that essentially negates the technology’s “secure” purpose and makes data vulnerable to theft. It’s located in the “Heartbeat” extension, which allows SSL-based websites to establish and maintain a secure connection with users for an extended amount of time. The flaw gives hackers a way to access that connection and read, capture, and steal any data stored in the system’s memory.
They can access emails, instant messages, credit card data, passwords, and any other information housed there, and they can even eavesdrop on live communications and web browsing. According to experts, the vulnerability was first introduced three years ago, when an update to the source code was released publicly.
Who Was Affected by Heartbleed?
Any site that uses SSL or has an https:// at the beginning of its URL is susceptible to the Heartbleed bug. According to the GitHub, of the web’s top 1,000 web sites, more than half utilize SSL in some form on their site. Virtually any site you log into, input payment information on or have an account with is going to have SSL installed, simply to secure your information. Social media sites, ecommerce sites, shopping engines, online banking and web-based email clients – they all use it. Even major sites like PayPal, Amazon, Google and other big players were affected by the Heartbleed bug.
In order to safeguard their users and customers, these sites will need to install the security patch that was released on Wednesday. This patch closes up the hole that would allow attackers in, and ensures the SSL framework is, once again, secure.
Heartbleed & Ecommerce
The Heartbleed bug undermines all of the PCI-compliant online retailers out there. This means that your consumer data, including credit card and contact information, is theoretically vulnerable to a security breach.
In order to protect your customer data, check to see which version of OpenSSL you’re running. Affected versions include OpenSSL v. 1.0.1 through v. 1.0.1f. Patching or removing the heartbeat extension will protect your webstore for the foreseeable future.
It’s also advisable for retailers to reset user passwords and replace their current SSL certificate. Seems like a lot of work, but it’s important to protect consumer data and avoid a Target-like scare, where profits have reportedly dropped by 46% in Q4.
What Can You as a Consumer Do to Protect Yourself from Heartbleed?
Most major companies that operate on an SSL framework have already applied the security patch that was released earlier this week, effectively closing the door through which attackers could enter. There may be some smaller companies however – some with fewer resources – that have not been able to get around to installing the patch just yet.
At any rate, just to be safe, you can run any site you plan to log into through this site, and it will reveal if there are any Heartbleed-related problems you should be aware of before going forward. Mashable also has a good list of major websites that have been affected.
There are also a few other steps you can take to ensure your personal data and information is not at risk due to Heartbleed:
- Log in and out of every session in your web browser – your email, your accounts, your social sites, anything else you have open. This will ensure you’re using the most updated, secure version of the site’s SSL framework.
- Once you’ve confirmed that a site has, in fact, installed the security patch, log into your account and change your password. Though there’s no way to confirm that your password or account information was leaked via Heartbleed, changing your password can ensure that even if it was, no hacker could use it to access your account.
- You can also check this comprehensive list by GitHub. It names any known sites that are vulnerable to the Heartbleed bug, so you can steer clear in your web browsing.
The worst part about the Heartbleed bug is that there’s no way to know whether your accounts or personal data have been affected. Since the vulnerability has existed for at least three years, any savvy hacker could have accessed it during that time. The only way to proceed now is to move forward, install the patch, and be extra diligent in what sites you log into or buy from in the near future.