On April 7th, a new bug on the Internet was discovered that’s putting millions of users’ personal data at risk. Given the name “Heartbleed bug,” it’s capable of allowing infiltrators to collect information while you are securely browsing a SSL/TLS website. Since SSL/TLS is so widely used, it’s very probably that your personal data is at risk.
What the Heartbleed bug essentially does is render privacy in the OpenSSL cryptographic library obsolete. Two of the biggest and most publicized websites affected that utilize OpenSSL security are sites associated with Google and Yahoo. These sites are getting the most media attention in regards to Heartbleed, but the fallout actually goes beyond these two sites and touches on every single website that uses OpenSSL security–which equates to more than two-thirds of all websites in the world!
The Heartbleed bug only applies to version 1.0.1 and 1.0.2 of OpenSSL. This vulnerability allows hackers to obtain private keys needed to view, and even steal, private information associated with a user’s breached account. If your online accounts are affected and your identity is stolen, then you will be in for a world of heartache.
At this point, you and millions of users around the world are asking the big question, “How could something like this happen?” Apparently, the problem lies not in the SSL/TLS specifications, but rather, the vulnerability stems from an implementation problem. It turns out that a programming mistake is responsible for leaking information from services and applications using OpenSSL. Typically, a bug of this nature is detected and fixed as soon as it’s found (which is why it’s so important to update your software). However, this bug wasn’t taken care of, and to make matters worse, this particular bug has been exposing sensitive data to hackers going all the way back to December 2012.
How do you know if you’ve been hit by the Heartbleed bug? Unfortunately, you can’t know for sure. The bug leaves no trace of a hacker’s activity, which means that you won’t know that you’ve been hit until:
- Charges show up on your credit card statement.
- You find yourself locked out of your accounts.
- You see a bogus loan taken out in your name.
- You find yourself victimized by any other of the fallouts associated with identity theft.
The number of websites affected is pretty massive. To help you find out if a website that you frequently use is compromised by the Heartbleed bug, check out this list from GitHub of the most popular websites left vulnerable by the bug.
You can also enter the websites that you frequent into this Heartbleed bug checker from LastPass. This tool will inform you if the website in question has applied a security patch or not.
If you have accessed an affected site over the past two years, you should change your password immediately. In fact, because of threats like the Heartbleed bug, it’s a best security practice to regularly switch out old passwords for new ones. We recommend doing this exercise once per quarter.
To find out for sure if your company has been breached or not by the Heartbleed bug, you can give PACE Technical Services a call at 905.763.7896. We can arm your business with our Unified Threat Management tool, which is the top enterprise network security solution on the market. Reach out to us today to find out more.