What is it?
The "Heartbleed" bug affects OpenSSL, a widely used open-source software program used to encrypt Internet communications.
David Chartier, CEO of Codenomicon, the Finnish firm that helped to uncover the bug, told The Associated Press that OpenSSL is used on approximately two-thirds of web servers. OpenSSL is a variant of the encryption technology SSL/TLS.
How does it work?
The bug created an opening in the encryption software, which left web traffic on servers using OpenSSL open to potential snooping. This means that vast amounts of sensitive personal information, including millions of passwords and credit card numbers have been unwittingly left vulnerable to theft.
In a blog explaining the bug, Codenomicon writes: "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. "
According to Codenomicon and Google, the two firms that helped uncover the bug, attackers can even exploit the security flaw without leaving any trace of their presence.
When was it discovered?
While Codenomicon and Google disclosed knowledge of the bug on Monday, they noted that it went unnoticed for as long as two years.
How serious is it?
While it is not yet known whether anyone has actually exploited the bug, Codenomicon is not mincing words when it comes to how serious "Heartbleed" is.
"You are likely to be affected either directly or indirectly," the company said. "OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL."
What can I do?
A fix for the bug was released on Monday, and it is now up to websites and service providers to install the update and inform their clients, Codenomicon said.
However, the company warns that, as long as versions of OpenSSL are still used without the update, the vulnerability can still be exploited.
Some security experts have started recommending that people change their online passwords.
"I would change every password everywhere because it's possible something was sniffed out," Qualys Chief Technology Officer Wolfgang Kandek told The Associated Press.
But changing your passwords won’t do anything until the bug is fixed, according to Ben Sapiro, senior manager at KPMG.
“Until the problem is fixed it’s not a good idea simply because it allows people who are acting in a criminal manner to see the passwords,” he told CTV News Channel on Wednesday. “So you could have exposure again and again and again until the problem is fixed.”
Sapiro added that a general good security tip is to regularly change your passwords, and to use different passwords for different accounts.
In a blog post Tuesday, Yahoo's blogging service Tumblr said that it had implemented the fix and found no evidence of any breach. It also recommended that people consider changing their passwords.
"This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."
How to identify whether your server is vulnerable
Using the online test: http://filippo.io/Heartbleed/
Or via the command line, verifying the version of your OpenSSL package (assuming you use RPMs):
rpm -qa |grep openssl
Should return the following versions or greater
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64
How to patch vulnerable servers :
Please contact us and we will patch your dedicated server $75 per hour.
Tuesday, April 8, 2014