Last week a major bug was discovered in the widely used SSL source code.
SSL code is used in many different security products and secure web browsing—think websites that start with https:/. Dubbed “Heartbleed,” this bug allows malicious users to steal small bits (64kb) of data from users and website hosts without being detected. In fact many popular websites like, Facebook, Google and Youtube, were compromised. By continually mining this exploit, malicious users could possibly extract information like usernames, passwords, security keys and tokens. When done strategically, this leaked information would setup hackers with the means to carry far more destructive attacks like identity theft or transferring funds from you bank…scary, right?
Now, before you panic, this doesn’t mean all of your information has been snatched up by diabolical masterminds like Dr. Evil. While it is possible for malicious users to get your information, it doesn’t necessarily mean they have. The mechanics of Heartbleed attacks work in a way that they can only steal a small piece of information from the local memory on your computer for a short duration of time. This means that if there was no personal information on that memory during their attack they won’t have any of your personal information. You should still be wary however, because a dedicated hacker can repeat these attacks over and over again until they have that information they are looking for. So don’t panic…but tread carefully.
For the technically inclined here is an explanation on how it works.
What should you do about it?
Thankfully, many sites have already started patching their software so that Heartbleed is no longer an issue. As a precaution you should check to see if the websites you commonly visit utilize SSL source code and if they do, make sure that they have updated their SSL code to version 1.0.1g. Here is a list of popular sites that were vulnerable before but have now patched. If you have visited a website that was vulnerable you should take the following steps:
- Reset your username and password (Make sure that the website has been patched before you do this, otherwise you will increase the possibility of exposing this information).
- Check to see if a site you are visiting uses SSL before inputting critical information. (CNET has a tool you can use to determine whether or not a site is safe to use).