TMCnet News
The Heartbleed Bug: What you need to know [Telegraph-Herald (Dubuque, IA)](Telegraph-Herald (Dubuque, IA) Via Acquire Media NewsEdge) Dear PropellerHeads: I heard in the news about some sort of "bleeding heart" virus that's going to steal all my credit cards. What should I do? Answer: Once in a while something so stupendously terrible happens in the World of Technology that even mainstream outlets like CNN and the New York Times have to cover it. Then PropellerHeads like me laugh at the vague, "layperson" descriptions of some complicated technology spouted by clueless reporters. Anyway, forget everything you know about the Heartbleed Bug and let's start over. First, you might have noticed on bank websites and Amazon checkout pages that your browser displays a padlock icon in the address bar. This is how it tells you that the web server on the other end has SSL software installed. SSL, or Secure Sockets Layer, is a protocol (set of rules) that describes how browsers and servers should communicate in order to keep your data safe. They do this by encrypting, or - if you'll indulge a little tech speak - "super-magically scramblin' up" your data, so that if someone were to intercept your Miley Cyrus fan site password, they wouldn't be able to read it. SSL is not a product itself - it's a set of rules that programs can implement. One such program is called OpenSSL, and since it's been around for years (and is free), many sites use it to power their secure pages. "Many" as in, say, half a million or so (bit.ly/1g1DjGS). Security researchers guess that more than 66 percent of publicly accessible websites are using web server software that relies on OpenSSL for security. In early April, two security experts independently found a bug in OpenSSL that was later named "the Heartbleed bug." You can read the technical details at heartbleed.com. OpenSSL has a "heart beat" feature, which is common in servers. Browsers and other programs can send it a message every few seconds asking, "Are you there?" If it is, it sends a signal back. In this case, the browser says "If you're still there, send me back the 5- letter word house," and OpenSSL says, "house." But the word "house" is read out of the computer's memory, and - here's the key issue - OpenSSL does not check to see if the number of letters requested matches the word length. Ask it to send you back the 300-letter word house, and instead of catching the error, the soft-ware writes back with the message "house," followed by the next 295 letters that happened to be stored in the computer's memory at the time. What gets stored in web server memory? Credit card numbers, email contents, account passwords - all kinds of good stuff. Even worse, the secret encryption keys (think long passwords) that the server uses to secure the data in the first place might be in memory then, too. So, not only could someone steal your password, but she could steal enough information about the server to steal your password again in the future - even after you change it. Someone already has used the bug to steal taxpayer ID numbers from the Canadian counter-part to the IRS. Bloomberg News reported that the National Security Agency has used the bug for months to access server data, but the NSA denies this. Since the flaw had been in place for two years, it could take months before we realize the extent of the damage. But you need not worry, provided you've never used Facebook, Pinterest, Google, Yahoo, Flickr, Netflix, Youtube, Dropbox or Healthcare.gov. See Mashable's write-up at on.mash.to/1nAlRf0 for details. If there's any good news here, it's that the guys who wrote OpenSSL are getting funded for their work, to prevent future repeats. The other "winner," if that's the word, is a technology called Perfect Forward Secrecy, which guarantees that any captured encryption keys cannot be used to go back and read old data encrypted with those keys retroactively (bit.ly/1iGw9Th). You'll see it become more popular in the coming years. Lastly, to see all this described in nerdy cartoon form, check out xkcd.com/1354. Email questions to [email protected] or contact us at Data Directions, Inc. 8510 Bell Creek Road, Mechanicsville, VA 23116. Visit www.askthepropellerheads.com. (c) 2014 ProQuest Information and Learning Company; All Rights Reserved. |