Heartbleed, what is it and how does is affect you?

Old No Comments on Heartbleed, what is it and how does is affect you? 6

You may have heard about Heartbleed and are wondering what it is and how it affects you. To answer that question, we will need to start with a small lesson on how internet security works (don’t worry, I’ll keep this simple).

There are generally two types of sites you would access, those that deal with secure information such as banking or personal info, and those that do not. An example of a secure site would be your bank’s online banking portal. That site deals with very sensitive personal information and needs to be secured to prevent people from stealing your data. An example of a site that doesn’t need security would be this this blog, www.local-pc-pro.com. We don’t deal with or track anyone’s personal data and we don’t have any customer or client interaction that has anyone sending us any personal info. So this site doesn’t have any security in place because there is no sensitive data being transmitted. You can tell if the site you are using is secured because the address will start with https://.

Roughly 60% of the secured site on the entire internet use an encryption protocol called Open SSL, and this is where the vulnerability lies. In simple terms, there has been an error in the code discovered that allows someone access to all of the sensitive data that the encryption is supposed to protect. This could be usernames and passwords, sensitive documents and so much more.

What is Heartbleed exactly?

Basically, heartbleed is just an error in code that a programmer missed when building the system. It may be a bit difficult to explain, but here is a quick over view:

When you request something from a secure site you will send a code for them to send back and say how long it is ex: candy (5 letters) Then the server will read that and send you 5 letters “candy” to verify the connection. Heatbleed is a problem in the code, where if you say “Send me back football (600 letters)”. The server will see this request and send you “football” and then add to that the next 600 letters of data that are stored in its memory. This extra data is where the protected information can be found.

This is a very simplified overview of how this bug works, and don’t worry if you don’t quite understand what it truly means, that is not quite the focus of this post.

Another important fact to be aware of is that this flaw is actually not a recent bug, it has been in the code for around 2 years. No one has ever found it until recently.

What does this mean for you?

There are two sides of this that you may be coming from, if you are a business owner that has some sort of internet server that deals with sensitive data or anyone that is a consumer that uses the internet.

Most of us fall into that later category so lets start there.

First thing to check is whether or not the secure sites you access have updated their security. At this time, there is a patch available for the Open SSL protocol that fixes the problem. So check with your bank, online shopping sites and any other sites where you supply any sort of personal info or login credentials to make sure they have the most recent version. Chances are, they do. Once you are sure they do have the updated version, you will want to change your passwords for these sites. This will help assure that your account remains safe if your data has already been leaked, but not yet used by a thief. Additionally, you would do well to implement a secure password management system. This is a piece of software that resides on your system that will generate very strong and secure passwords for you, and tracks them so you don’t have to. Each of the sites you would visit will be given a different password, but you will only have to keep track of one master password to access them, the software does the rest.

If you are a business owner or an IT admin for a company that owns secure server, then you absolutely need to invest in getting these updated and secure if you already have not. Mostly, this means making sure you update the security software you are using for the secure connections and renew your SSL certificate. You should also invest in some very detailed security audits to make sure that your servers have not already been breached.

Where do we go from here?

This is one of, if not the most, catastrophic security breach the internet has seen to date. It is almost impossible to determine how far reaching this security flaw really is, how many systems have been compromised and how long it will take to truly fix. The best thing you can do as an individual is educate yourself in safe internet browsing habits, always use strong passwords and don’t use the same password for every site.

Author

Tom Patch

I'm an IT consultant with 8 years of experience. Currently supporting consumers and small businesses in King and Pierce counties in Washington state. I can help with any general technological consulting, network administration and security, web development and hosting. Email - tom@local-pc-pro.com Blog - http://www.local-pc-pro.com/news-and-tech-tips/

Related Articles

Leave a comment

Back to Top