I know these posts about hackers getting a hold of your data is starting to sound like a broken record however; another serious Internet security flaw has been discovered.
A bug named Heartbleed has made it possible for millions of usernames, passwords credit card numbers and other personal data to be exploited during the more than two years it went undetected.
Yes, this bug has been present for two years.
A Google researcher and a Finnish security firm called Codenomicon discovered Heartbleed. The researchers have put up a dedicated site to answer common questions about the bug. They even gave it an adorably gruesome custom icon.
This bug has a brazen irony surrounding it. This bug is in the code designed to keep servers secure. The HTTPS or HTTP (running on software known as SSL) present in the left hand corner of the browser bar for most sites you visit is reportedly the bug carrier. The software encrypts sensitive information to protect people’s privacy. At least 500,000 servers were reportedly vulnerable.
The bug being present for so long along with the fact data breaches can’t be detected has experts calling Heartbleed the worst bug yet.
One website equated the bug to someone going on vacation and leaving their home unlocked. Did someone come in while they were gone? Did they find and copy any sensitive data or personal information? How would you know? In essence, once an attacker breaches the software, they essentially have the keys to walk in the front door (unencrypted data), take most anything (your personal and sensitive data), and walk back out without your knowledge.
Companies have moved to implement fixes but none can say whether any exploits have taken place because perpetrators leave to no trail.
It’s not just an issue for major sites. A lot of smaller online stores and services use OpenSSL, and those sites might take longer to make the necessary fixes. Websites don’t typically publicize whether they’re using OpenSSL, so the process will also be bumpy for consumers.
Now before you start changing passwords and usernames be sure that your sites have implemented the bug fix. If the fix hasn’t been implemented you could be simply giving potential attackers a new set of credentials to exploit and acquire your data. If you’re not sure about a site, ask them. Here is where the catch 22 is going to come into play for those that use one ID to access more than one site. On one hand, a bad guy gets access to many sites with one ID. On the other hand, it makes changing access to many sites easier by those that need to change passwords and user IDs.
Go to the dedicated Heartbleed site for updates and more in-depth details.