The HeartBleed BUG

copyright www.heartbleed.com
copyright
www.heartbleed.com

 

Heartbleed bug has recently been in the news for all the wrong reasons. Dooms Day or over reaction!

Heartbleed Bug is an anomaly, accidently inserted in the code of Open SSL, a popular open source toolkit. The Heartbleed Bug allows hackers to steal information on the internet.

A server is a software+hardware combo which gives you a service. So a mail server will enable exchange of mails. A web server serves you websites and webpages. So when you want to see the website, say www.yahoo.com , there will be a server somewhere which will be configured as a webserver and hosting that website. You will open your Internet Browser and type www.yahoo.com in the address bar. Your browser and the systems which go with it will look for the web server which is hosting the website of Yahoo. Once located, your PC sends a request for the website and the web server sends the webpages in to your PC where they are shown to you by your web browser.

Web 2.0 has ushered in a new era of interactive websites. So these days a lot of information is exchanged between the web server and your Internet Browser. Personal info, private info, mails, chats and most important financial info needs a secure system of exchange.

Enter ENCRYPTION.

Data exchanged between the website and your Internet Web Browser is basically coded before it is dispatched and decoded after it is received at both ends. Websites using online payment tools or net banking, prominently advertise encryption as a security feature. Something like “We use 128 bit SSL encryption” or “encryption helps keep your information private between the bank’s computer system and your Internet browser”. If you are browsing such a site, you will see “https” instead of “http” in the browser address window.

For such an important role to play, encryption is hot property. To implement encryption one requires a software toolkit. Professional options are available a plenty and are usually paid. In this scenario, OpenSSL has placed itself as an Open Source option, free to use, alter and maintain. Open SSL actually advertises the same fact on their website prominently. “Why buy an SSL toolkit as a black-box when you can get an open one for free?”
Open SSL hence, makes an obvious choice for startups, companies on a tight budget, or simply anyone looking for alternatives. Maintained by volunteers, Open SSL started in 1998 and as of 2014, two thirds of all web servers use it (Source : Wikipedia)

Whenever anything is encrypted, it’s a usually bad idea to try to break the encryption. Instead easy would be to steal the keys to simply unlock the encryption and see the data.

Here is where, Heartbleed comes right in.

Heartbleed allows attackers to access sensitive date or steal someone’s identity while data is on the move on the internet. It also allows hackers to read victims memory, steal server info, users personal and financial info and most importantly encryption keys.

The bug was accidently introduced when Robin Seggelmann wrote a part of the code for OpenSSL. A review by one of the core developers, Stephen Henson also missed the bug and it entered the system in March 2012.

The bug was discovered in April 2014, independently by Neil Mehta of Google Security Team and Codenomicon, a Finnish cyber security company. It is infact Codenomicon who named the bug Heartbleed, designed the logo and gave it adequate publicity.

Between March 2012 and April 2014, all compromised systems were under surveillance. Popular services like Gmail, Facebook, Yahoo, Flickr, Dropbox! have been affected by the bug. Though most have by now patched it. There is no way of knowing who all have used Open SSL on their web servers and when. And also who compromised servers and how much data has been stolen.

The magnitude of the problem can only be comprehended if one accepts the suspicion that the bug has been deliberately planted with the aim of snooping. What was earlier thought of as impregnable, never was all this while.

Remember,
Anonymous is NOT
Safe is NOT
Privacy is NOT
Change your passwords regularly.

Leave a Reply

Your email address will not be published. Required fields are marked *

CommentLuv badge