What is the “Heartbleed bug”, and do I need to do anything?
The “Heartbleed bug” has made headlines around the world, but what is it and how does it affect you? Matt Kirby investigates.
The Heartbleed bug has been widely reported – unfortunately it’s quite tricky to wade through all this information, and some of it has been inaccurate. So, what does it all mean?
What is it?
Simply put, the heartbleed bug enables an attacker to access a chunk of memory on a remote server that they shouldn’t have access to. This memory could contain anything – your username, you password, the contents of a blog post or email. It could potentially contain server’s private certificate which is used to verify it’s identity – which would enable a hacker to create a spoof site that is almost indistinguishable from the real thing.
The scariest part is that this attack leaves no trace that it’s happened, and this bug has been around since 2012. As the attack is untraceable it’s impossible to know how many websites have already been attacked – however both Mumsnet and the Canada Revenue Agency are known to have been targeted.
Which websites are vulnerable?
It’s been estimated that around 17% of the worlds webservers are vulnerable (around half a million), and some of them are really big names – Google & Gmail, Pintrest, Instagram, Flickr, Yahoo! to name just some.
This is a major flaw that could have a huge impact – the exact implications are not yet known.
Should I change my passwords?
Many media reports have advised changing passwords on everything – however this is only worth doing if the website was vulnerable and the owners have subsequently applied the patch. Mashable has a regularly updated page that lists several high-profile websites with advice on whether you should change your password or not.
You don’t need to change your password on any system that uses Microsoft software, so Hotmail, Outlook.com and any work email system that uses Outlook Web Access or Microsoft Exchange are all immune to this potential exploit.
As a general rule you also wont need to change passwords on any banking websites – they tend to use their own software, which won’t have the vulnerable component.
As for every other website – you probably need to change your password.
Even if you don’t use any of the potentially affected services it’s still recommended that you change your passwords regularly – if you’ve not done this for a while now is as good a time as any.
If you are going to go through the process of changing any passwords it’s worth looking at our advice on password managment before you do. Now is also a good time to start using our recommended password management system LastPass.
I run a website, do I need to do anything?
If you run or control a website and are running Apache or Nginx and are using OpenSSL 1.0.1 through 1.0.1f (inclusive) it is vulnerable to Heartbleed and you will need to update to OpenSSL 1.0.1g. If you are using an older version of OpenSSL you aren’t vulnerable to Heartbleed, but it’s worth updating anyway. Full details are available on the Heartbleed website. If your website was vulnerable best practice is to revoke your SSL certificate and get a new one after you have applied the patch – we can assist with this if required.
If none of the above makes sense to you it’s worth contacting your web designers /developers and asking them if your website is vulnerable to Heartbleed. If your website is not using SSL at all, or is using Microsoft IIS it won’t be vulnerable to Heartbleed.
You can also use some online testers to check your website – however do be aware that that the results from these tools are not 100% guaranteed:
- The first one that was available, from Filippo Valsorda – initially had reports of false-positives, but should be working now
- LastPass Heartbleed Checker – quick, but often inconclusive
- Qualys SSL Labs – very detailed, also does other SSL tests which may not be relevant and can take a while
At the time of writing this post the Heartbleed bug has been in the news for around a week, with new stories appearing every day. To keep up with this and other security issues either follow myself @MattKirbyICT or @ICTPartnerships on Twitter.