ITV Daybreak: De-mything the Heartbleed Bug
Here’s what we know about Heartbleed (as of today – it’s a developing story) plus some pointers about what you need to do to protect yourself:
What is the Heartbleed Bug? The Heartbleed Bug (or CVE–2014-0160 to give it its official name) is a vulnerability in OpenSSL, the fundamental bit of code used by as many as 500,000 websites to encrypt the data we send online. The upshot is that sensitive data such as our usernames, passwords and credit card details could potentially have been exposed to hackers. It doesn’t matter what device you’re using to connect to the web – a laptop, Mac, Windows, iPhone or Android – the vulnerability is on the web server that you’re connecting to.
Is it serious? Heartbleed is a serious enough vulnerability that it’s forced website owners all over the world to update, to patch their web servers. And we’re talking about the big players, like Yahoo and its services such as Flickr and Tumblr; some banks and even the FBI’s website are impacted too, an estimated half a million sites in total. Some sites such as Google and Facebook managed to patch their services early on or before the vulnerability was made public, but that doesn’t mean they weren’t vulnerable beforehand. And it’s not just websites that use OpenSSL, it’s email and instant messaging services too.
Who has exploited it? Concerningly, even though the Heartbleed Bug has only just been made public (by researchers at Google and Codenomicon) this vulnerability has been around for a couple of years. Perhaps nobody knew it was there until the last week. Perhaps (and this is speculation) some people did know but, having free access to privileged and sensitive data, chose to keep quiet about it. As it’s difficult to trace if and when the vulnerability has been exploited, we may never know.
What can we do? Some of the knee-jerk advice online has been ‘don’t go to work until you’ve changed all of your passwords’, but that might actually put you at more risk until the affected servers get patched with the fixed version of the OpenSSL code. Good advice is to check whether your service was impacted by the bug – this link on Mashable is pretty comprehensive – and as per the advice change your password only when safe to do so. Whatever you don, don’t use the same password for multiple accounts – consider using a secure password manager to keep track of them all. And, as always, keep a close eye on your bank statements for suspicious transactions.