Heartbleed is not name of a new Hollywood flick, it is the latest bug that is ready to pounce upon the Internet world. The web is flowing with news related to this new bug that threatens two decades’ worth of efforts to persuade people to join the web and trust it for all their important work like buying stuff, sending a mail and of course making a bank transaction. Companies are still looking into the situation and trying to understand and project the user base they have created.
The scenario suddenly, has become so grim that you fear logging in even for a chat.
Today Dailybhaskar.com brings you all about this “Heartbleed” bug, what is this bug, why is this so scary and if you can protect yourself against it.
What is Heartbleed?
This is a bug in open-source cryptography library OpenSSL that will not infect your computer. This still should matter to you because it will effect the server you are using.
According to an entry in the Wikipedia, this vulnerability has existed since December 31, 2011, and the vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. By reading the memory of the web server, attackers could access sensitive data, compromising the security of the server and its users.
Whenever you send any data that is encrypted (for safety and privacy) that routes via a server to the destination. The data uses OpenSSL algorithm that is a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for cryptography library.
Is it actually scary?
The bug infects this OpenSSL algorithm by sending a malformed heartbeat request to the server in order to elicit the server's memory response. This way it allows an attacker to read the memory of a server.
“This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users,” says Heartbleed.com.
It’s like you have locked the doors of your house and kept the lock in a safe with the address of the safe (maintained by a second party) in a coded passbook. What the bug does is that it sends a malformed message to the passbook to reveal the contents about the safe at the leve of the safe (that is the address of the safe) to the attacker. You can image what heppens next. Yes, you could be doomed!
According to LA Times the bug enables any hacker with the most basic of skills to use a simple piece of software to gain access to the IDs and passwords of a site's users in just a few minutes.
It has operated without detection and is designed in a way that you (and the server your computer interacts with) would have no idea, explains Mashable.
What is being done by companies hosting servers?
Yahoo announced that it has stsrted working the fixing the hole. “Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now,” it said to Cnet.
Twitter has said that it is not affected by the bug. It said “we were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation.”
How to test if my site is infected?
Though also a stunt to attract more customers, Hostgator does have a nice thing you will love - a tester for Heartbleed infection. If your website is hosted on hostgator, you are safe. You cane generate a ticket and ask for assistance. If you are not you might want to shift to hostgator which says it has "already patched for this vulnerability." You will get a discount.
In case you just want to check if your site is infected, you can look for a free check here.
You can also head to filipio to test your website and get it fixed. The webpage has listed the issues you could face while fixing the bug.
Can you protect yourself?
1
You kill a bug at the point of infection, right? Since the bug effects the servers the precaution has to be taken at the server level. This means the companies you use for services like gmail for email, yahoo for yahoo mail, Twitter and Facebook for feeds, pay channels like banks, paypal and others have to do their bit in protecting your security.
“Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS,” says Heartbleed.com. It further says “Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”
2
What you can do is not to use the website to log in till you get the news of the service patching the problem. Most of the time companies will alert you or keep you informed on any update related to this. For instance Twitter has announced that it is not affected, and hence you can use to tweet this information or anything you want to on twitter. Today is an important day in Indian democracy when 11 states are voting in the Loksabha elections 2014.
3
Reach out to the servers or businesses that handle your data and inquire whether your data is safe or not, whether the company is aware of the Heartbleed bug.
4
Better to stay away from online transactions using credit card, debit card or online banking. In case you need to do so, do cross check with the bank if they have implemented the bug fix.
If you take the advisory of The TOR Project (free software known for enabling online anonymity and censorship resistance) keep away from Internet. “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle,” it says in a blog post.
Besides this be aware that you can’t actually do much. The bug needs to be fixed by experts working with OpenSSL and at the end of the servers. So, wait for updates from your service providers.
No comments:
Post a Comment