Opinion by Adam Ebel
An online attacker could have your Facebook, Yahoo, Google, Gmail, Netflix, Tumblr, Soundcloud, Wunderlist, Amazon, Dropbox, Last Pass and Apple information.
OpenSSL is an opensource “library” of sorts for Transport Layer Security.
It’s efficient, generally secure, and very popular.
Unfortunately, it also has a security flaw as open as it is.
This security flaw was formerly announced on April 7, but has existed since 2012.
Using this bug, attackers could have, and probably did, acquire entire databases of user information.
The attackers’ actions leave no trace, so there is no way of knowing if a database was compromised or not.
“What is OpenSSL?”
OpenSSL is a “library.” A library is used like a manual for computer programs to order common higher-level functions using simple commands. In sense, a program, or a programmer, asks a system to do something that the system doesn’t exactly know how to do. Computers are a bit like toddlers in that they have to be told everything explicitly. It is like telling a computer to carry out a set of instructions in a manual. It makes managing data packets much simpler. Most network data packets are encrypted in such a way as to prevent anyone other than their intended recipient from understanding the content inside. This is true for most network packets with the notable exception of “Heartbeat.”
“What is Heartbeat”
A “Heartbeat” is how one knows a system is alive and stable. Really. Systems within networks monitor the status of a variety resources and know what they can and cannot communicate with. They send out an unencrypted “heartbeats” to other resources, whose owners then respond with a bit of their own memory, indicating that the resource has a functioning owner and can be used. It is like calling for a head count for a team of mountain climbers, ensuring one’s partner hasn’t fallen down the cliff side and is about to pull the rope attached to you down with them.
“… and why is it bleeding?”
The “Heartbleed” bug occurs because no one wanted to slow this system down by having it check to see if the “Heartbeat” was from a bonafide subsystem in the network. As a result, anyone with the know-how and the desire may send out a heartbeat to a system to receive a 64-kilobyte scoop of data to satisfy them. They may continue asking for these scoops until the system hands them things like password hashes, server master keys, account data tables, more or less everything needed to compromise the entire system.
How easy is it to fix?
Relatively easy, it was more so oversight rather than technical challenge that left the bug there. A server administrator can update to the fixed OpenSSL and patch their systems to manage the small changes. The main concern is the data that had been lost during the years that the bug was unknown.
Changing your passwords is a pretty good idea right now. Even if you feel like there is no reason in particular a person would target you, you could easily be apart of the blocks of data that was heaped off in one of “Heartbleeds.”
Ebel is a first-year journalism major and can be reached at [email protected]
