Have you heard about the newly discovered Heartbleed bug that has affected millions of sites across the entire Internet? At this point, the news is pretty widespread that on April 7, the world discovered a massive security problem that many Internet security researchers are saying is the top bug that has ever hit the Internet… but what IS it? If you’re looking for the real information about what Heartbleed is and how it affects your business, SWK’s Network and Computer Security Experts have the answers.
How much of the Internet does Heartbleed affect?
At least 17.5% of the Internet is affected by the Heartbleed bug, which is approximately about half a million sites. Want to check if a specific site is affected? Filippo Valsorda created an easy site checker in which you can enter in the web address you’re curious about, and see if it’s vulnerable. Go there right now and make sure your site doesn’t have any issues.
Where did the Heartbleed bug come from?
First off, it’s important to know that that the entire Internet is written in code. Code is responsible for absolutely everything you see on the Internet. Here’s what one single paragraph looks like on your screen (left) and in code (right).
When you look at the Internet code, you realize that it’s complex, and it’s clear how oversights could happen. In essence, Heartbleed is a bug that someone introduced to the code, either intentionally or unintentionally, that no one noticed until much, much later. The bug is a “missing bounds check” in the heartbeat extension of OpenSSL. (I’ll explain that sentence clearly, don’t worry.)
What is Open SSL?
Open SSL is a type of software that allows your computer to securely communicate with password-protected sites on the Internet, like Yahoo!, Amazon, or Google (all of which are now safe from the Heartbleed bug).
What is the heartbeat extension?
The heartbeat extension is a part of OpenSSL that allows you to go to different webpages on a secure, password-protected site without having to re-enter your password every time you click on a new page. Without the heartbeat extension, you’d have to re-enter your password every time you looked at a product page on Amazon…which would be greatly annoying.
What does “missing bounds check” mean?
It means that the person who wrote the buggy code for the heartbeat extension told the extension what it could do (allow you to click new pages without re-entering your password), but forgot to tell the extension what it couldn’t do (um, everything else).
Oops.
What does a “missing bounds check” do?
An imaginative hacker realized that if the heartbeat extension had no set limits, it could be exploited to steal tiny amounts of information out of protected websites. The information was stolen 64 kilobytes of information at a time, which really is a tiny amount. (For example, I’m currently writing this post in Word. At this exact point, my document is 284 kilobytes, including the screenshot of the code. That’s almost 4.5 times the amount of information the hacker could steal off a protected site at one time…and my document is exactly one page of text right now.)
Why is such a tiny amount of data such a big deal?
Because even though the hacker can only steal a 64 kilobytes at once, they can then go back and steal another 64 kilobytes, then another one, then another one. If someone were to come to your house every single minute and steal something small, it wouldn’t be too long before everything you owned was gone.
How long did the hacker have to steal this information?
Over two years. The bug was introduced on December 31, 2011, at exactly one hour before New Year’s.
What does Heartbleed mean for my business?
It means that you have to check your site to ensure that it’s safe, and you should probably reset all of your passwords on the Internet as well. The reason why you have to reset all of your passwords is because Heartbleed is completely untraceable; no one can tell you which of your usernames and passwords (if any) have been stolen.
To make sure that you’re safe:
Reset your login information and passwords on every site you go to
Enable Two-factor authentication where you can (That means that to get into a protected site, you’d have to enter your username and password, and then enter a randomly generated code that the system sends to your phone.)
The most important thing you need to do right now is to make sure your site and business data are protected. If you’re worried, you can always contact the security experts at SWK Technologies, who will answer any questions you have honestly and clearly.
