The Heartbleed Vulnerability in English

By now, you've probably heard of a serious vulnerability (called "Heartbleed") that has the security community and the news whipped up into a frenzy. There's plenty of advanced and detailed technical information available - as well as information condensed down to publicly-digestable bites spread via the media that perhaps doesn't explain what is happening in sufficient detail.

Here's what you need to know.

What is Heartbleed, anyway?

Heartbleed is the name for a newly discovered bug in a piece of software called OpenSSL.

OpenSSL is an open-source, community authored and maintained implementation of Secure Sockets Layer, a security protocol that encrypts data as it is transmitted across the Internet. Have you ever seen that lock icon in your browser when you do your online banking? That lets you know that the web site is encrypting the information you are sending and receiving with Secure Sockets Layer (SSL, or its replacement, Transport Layer Security, or TLS). When you connect to a website with a URL that starts with "HTTPS://", the SSL or TLS protocol is used to establish a secure and encrypted session between your browser and the web site.

Now, while you are perusing your bank balance and transactions, there is no data being transferred between the web site and your browser, but the connection remains open, consuming the web server's resources (memory, etc). To determine if the connection is still valid and needed or if it can be dropped and the consumed resources released for other tasks, OpenSSL has a component called Heartbeat, that verifies that the connection. It is in Heartbeat that the vulnerability lies.

The bug in Heartbeat allows an attacker to trick the web server into returning data from the server's memory which may contain usernames, passwords, or other sensitive data -- or, it might contain absolutely nothing of value. However, since this attack is non-disruptive to either the server or client, the attacker can simply execute it continuously, each time bringing down more data that can be mined for sensitive information.

XKCD published a great comic that describes the effect:

What is most concerning is that OpenSSL is the most widely used implementation of SSL/TLS around the world, with 2/3 of all secured Internet traffic using it, by some estimates. This opens up a lot of web sites, such as banking, healthcare, webmail, online file storage sites, and other treasure troves of personal information. Obviously, online commerce sites are especially vulnerable as credit card data is constantly being provided.

What's the risk to me?

Fortunately, you have to have been unlucky to be affected. You would have had to have entered (or viewed) sensitive data at the time that the attacker was attacking that particular web server (and web sites can have several servers, each of which would have to have been attacked). Further, the server would, itself, have to have been using not only OpenSSL, but a vulnerable version of it. Lastly, the attacker would have to extract that data from amongst the other random data that was intercepted.

On the other hand, this vulnerability has been in versions of OpenSSL dating back to March of 2012, so there has been plenty of time for someone to discover and exploit the bug. Detection of someone exploiting this vulnerability was extremely unlikely. However, it is likely that firewall and SIEM (security incident and event monitoring) vendors are rapidly programming their systems to detect these attacks, and, of course, most/all affected servers are either patched already or will be soon.

So, what should I do?

You might consider doing any or all of the following:

  1. Change your passwords on sites that have sensitive information, such as your bank, webmail, etc.

  2. Consider using long, random passwords generated and stored by an application such as 1Password. These would be much more difficult to pick out of the similar-looking random data that the attacker would have to wade through.

  3. Monitor your credit card and bank statements to ensure that no unauthorized charges have appeared. Many people received new credit cards in the wake of the Target (and other) breaches, which likely resulted in credit cards being changed (and potentially exposed) on multiple sites in a short period of time, elevating the risk.

  4. Verify with the operators of the web sites you frequent to ensure that they have upgraded their web server's implementation of OpenSSL to a fixed version - or, better yet, that they weren't using one to begin with.

Heartbleed may have a scary sounding name, and is certainly a scary vulnerability, but if you take prudent steps, you can mitigate the effects of any attack that may have compromised your data.