Killing the Heartbleed Bug

On Sunday April 7 2014, security experts held their breath after news broke worldwide of the Heartbleed Bug. The topic made global headlines after the OpenSSL team released a statement in which they announced a serious vulnerability in their popular SSL/TLS packages.

At this point you must be wondering why this is an important issue. So first thing’s first; OpenSSL is an implementation of the SSL/TLS cryptography protocols. This basically means that SSL/TLS enables communication security and privacy over the internet for web applications such as email, Instant Messaging (IM) and some Virtual Private Networks (VPNs).

Fortunately, Neel Mehta, an employee at Google Security, found the bug on that particular Sunday morning. According to German developer Robin Seggelmann, who was working on improving the OpenSSL software two years ago, he made the awful mistake of missing a validated variable containing a length in a bug fix. That specific error made it into the released version which is now used by renowned corporations including Google, Facebook, Instagram, and SoundCloud.

Services provided by companies such as Google, Facebook and Instagram are used by millions of people worldwide on a daily basis, and what is peculiar (and shocking) about this case is that allegedly, the National Security Agency (NSA) was aware of the Heartbleed Bug for at least two years, but used it to gather data on certain individuals.

Yahoo, SoundCloud, GoDaddy, and Amazon are a few of the websites that have been affected by the bug and there has been an urgent call to action for all users of these webpages to change their access details. The reason for immediate action, is due to the severity of the consequences.

The Heartbleed Bug has in effect enabled hackers to access all the data that is saved on the servers of each website affected. For instance, when you log into your Facebook account, ‘like’ a couple of posts and upload your baby’s first birthday photos, this specific data will be saved on the Facebook servers, and since they have been affected by the bug, all your personal data is up for grabs.

We can turn it up a notch with another scenario in which you log into Amazon and buy a selection of books. Your credit card details, postcode and address shared with Amazon to deliver your package, are up for grabs.

Though headlines have been dominated by the Heartbleed story, it seems as though the end user, the consumer, does not fully understand or appreciate the importance or the impact such a critical security breach has on their private data. Are we not scared to lose our identity online? Our personal data is out in the open, ready for anyone to pick up and use for their own personal gain.

Many network security providers are putting their efforts into minimising the damage that could or already has been done. To ensure your personal data is protected online, make sure you change your passwords on a regular basis. Changing your passwords should be done effectively by first researching whether the concerned websites have updated their security software, it would be useless to change your password on a website that hasn’t fixed the bug yet, hackers will still be able to retract your renewed password.

Several media outlets have compiled a list showing which popular websites have been affected by the bug and if you can change your password on them. Mashable for instance has compiled a Heartbleed hit list, comprising of all social networks that have been affected and on which sites you can now safely change your password.

It takes you two minutes to change your password. Value your personal data saved online and do all you can to keep it private and stop the bug in its tracks.