Heartbleed is mainly a bug or a flaw in programming in the OpenSSL (Open Secure Sockets Layer), which is the securing point in the traffic of a connection to ensure that only the needed data is accepted. OpenSSL is released in 2012, having the word open makes it an open software in which any programmer is able to edit, or make a copy of due to its openness. OpenSSL is basically there to help secure websites such as banking websites, or websites meant for selling or buying items like eBay or amazon, which has "https", or a secure lock in the address bar. However to understand the process of heartbleed, the process of heartbeat is required to be known before moving on. Hearbeat is the feature acting when your computer enters a website, it will send request to the server, and waits for a response. This process is called the Hearbeat because a computer beats and waits for the server to beat back to get the response. In the case of a Heartbeat its the particular amount of data a computer request and the server will only sent that particular amount back to your computer. In case of the Heartbleed bug its a open bug that allows hackers to request a small amount of data, but the server will send beyond the amount that is requested which is up to 65,536 bytes. A single character is about 4 bytes, meaning that the hacker can get up to 16,384 characters access from the website having this bug. Among the characters there might include username and passwords from recent users allowing the hacker to get information without leaving behind a trace.
How did it happen?
As mentioned briefly its a bug or a flaw in the program, showing that there is a small mistake while a programmer was writing the code leading to this dangerous bug. The person who found this basic bug was Neel Mehta but it was very significant discovery that created a lot chaos. Having this program being an open source code it created lots of debates about should this type of sharing actually be considered as safe among such important websites. Mainly it was because the open source code programming that caused the mistake which is considered small as described but created a lot of significance. On the other hand some people are not considering it as a mistake but rather an intentional error someone made, to allow hackers to get these information. People accuse the NSA for this bug because they are responsible for stalking personal information, so this might be a programmer that is hired to purposely make the mistake in order to get the information for the NSA.
Who got affected?
There are many websites and operating systems that got affected by the Heartbleed bug. The main huge affected operating system was the Android, that only included the version of 4.1.1 Jelly Bean, which had 50 million users around the globe. The method the hacker's used to steal information is called "reverse Heartbleed", which takes data from the OpenSSL server and traces it back to your phone, to steal certain past sessions like banking account passwords etc. Two main website that have been reported to be hacked were Mumsnet and Canada's tax agency. Mumsnet and forum chat kind of website had 1.5 million users, and it was claimed that hackers have stolen many passwords and personal messages before they were able to fix the bug. Same for the Canadian Tax Agency, where 900 people reported that their social insurance number were stolen. The founder of Mumsnet, Justine Roberts, mentioned that "The hacker posted using her own username".
What was the damage?
The damage as I mentioned already was a huge lost of passwords and important information retrieved from the memory of the database causing a hack in a Bank account for example leading to a loss of money without a trace. Due to the information that is sent to the hacker, they are able to obtain multiple information from the site not just username and passwords, they can even get keys to access certain other information of your personal information due to the Heartbleed bug. As mentioned above people had their social insurance ids stolen, or the hacker was using the account to post messages. The damage overall made people lose trust in the security of certain websites although they have the secure lock information can still be taken due to the bug.
How to prevent it or recover from it?
Many solutions had already begun since the bug was known in the media. The patch to the OpenSSL has already been out for a while to solve the basic bug and dissolve the Heartbleed chaos that is going on so the Hacker is unable to obtain additional information. Most of the websites have already patched their OpenSSL to the latest version while some still remain the same. To prevent this bug make sure you check the version of that website before giving in any important information. Keep in mind never log into accounts that are still afflicted. If the website has been patched already immediately change the passwords of your accounts. Always check your financial status of your bank accounts if you're not sure, because if something wrong happens you can contact the bank immediately. The most important factor is to make sure you reset all of your passwords that contain personal information no matter if the site claims that it is safe.
What did you learn from it?
I learned a lot of lessons from this article or chaos to make it look serious. I have learn that the smallest mistakes in programming are considered not very small looking at the significance that they can bring due to a small error that is made. I also learned how a database, like a website functions looking up key terms such as OpenSSL which allows me to learn more about open source softwares. I also learned that a small problem like this caused many trouble to people and in the future it causes people to lose trust. Due to the Heartbleed scenario the open source software will have many negative points because these errors were looked upon, making many people view open source softwares as very dangerous.
Sources
"รข€‹What Is Heartbleed, Anyway?" Engadget. N.p., 12 Apr. 2014. Web. 21 Apr. 2014. <http://www.engadget.com/2014/04/12/heartbleed-explained/?ncid=rss_truncated>.
Bautista, Christian Brazil. "About 50 Million Android Devices Are Still Vulnerable to the Heartbleed Bug." Digital Trends. N.p., 16 Apr. 2014. Web. 21 Apr. 2014. <http://www.digitaltrends.com/mobile/50-million-android-smartphones-vulnerable-heartbleed-bug/?_escaped_fragment_=ErJyR#!E9rO0>.
Kelion, Leo. "Heartbleed Hackers Hit Mumsnet." BBC News. N.p., 14 Apr. 2014. Web. 18 Apr. 2014. <http://www.bbc.com/news/technology-27028101>.
Nieva, Richard. "How to Protect Yourself from the 'Heartbleed' Bug - CNET." CNET. N.p., 8 Apr. 2014. Web. 21 Apr. 2014. <http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/#ftag=CADf328eec>.
Lyne, James. "How Heartbleed Happened, The NSA And Proof Heartbleed Can Do Real Damage." Forbes. Forbes Magazine, 14 Apr. 2014. Web. 21 Apr. 2014. <http://www.forbes.com/sites/jameslyne/2014/04/14/how-heartbleed-happened-the-nsa-and-proof-heartbleed-can-do-real-damage/>.
No comments:
Post a Comment