Wednesday - Jun 19, 2019

Heartbleed Bug – What to Do After The Fact


heartbug

Only a few months ago, the web was struck with a security bug called the Heartbleed Bug. Discovered on April 1st, 2014 by an engineer at Codenomicon, a Finnish cybersecurity company, the bug was immediately turned into an image and name, Heartbleed, based on the term “TLS heartbeat”, which is the request a malicious person could send to exploit the bug. This would give up to the 64k of OpenSSL’s memory, which could contain, amongst other things, security keys and passwords through unencrypted traffic information. This naming of the bug was done to further raise awareness about the issue.

The news came as a true worry for most of the population, as the bug was affecting right around every kind of website on the web, big or small. The news were even worse in some countries like Canada, where the bug completely put a halt to the sending of the citizens’ tax reports. The Canada Revenue Agency then issued a series of message updates to inform the population. A fixed version of Open SSL came on April 7th just in time to rescue the 17% of certified web servers that were left vulnerable because of the bug and the list of affected websites has gone down ever since. As of June 2014, the percentage of websites affected stands at around 1% and the situation is said to be under control. Mr Solis-Reyes is the individual from Canada that was accused of stealing 900 records in the CRA systems.

The bug resided in the actual services that were transmitting secure information, so a quick update was out of the question and a lot of work was indeed in order to put the situation back in order. Even big websites like Gmail and Facebook were affected. In its recap of the events, Forbes rated the Heartbleed bug as one of the worst events of its kind since the popularization of the web.

Now that the situation has passed, it’s recommended that users change their passwords, even if they did so during the crisis. To fix your end of the problem, you can check lists of affected sites such as this one https://lastpass.com/heartbleed/ and this other one from CNET http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/. This can give you a confirmation that the website that holds your information has been patched, and that it’s indeed time for a refresh of your security settings.

Even on a website not affected by the bug, it’s still recommended that you change your password, and to absolutely not reuse the same words and patterns throughout several accounts on the web. It’s then also recommended that you make your passwords long enough, with upper case and lower case letters, and using numbers as well. A password that doesn't make sense as a phrase or as a word is also a better option.

Passwords are being more and more stated by expert as “outdated” forms of security, so more than ever it’s necessary that web users make the most of them. Password managers could therefore become more popular after this kind of bug, as this tool allows the creation of different and secure passwords for all of your websites, all to be remembered through a single one for you to use.

The Heartbleed Bug left just about just anybody around the web with some sensitive data at risk, so now is the time to make the changes to your security settings if you haven’t done so yet. Mobile devices should also require a software update as it’s possible that they were affected by the bug. It would also be a useful recall that cellphones should be locked with a password as well to repel intruders.

Recently, another OpenSSL defect has recently been found, as reported by Forbes here http://www.forbes.com/sites/jameslyne/2014/06/05/new-openssl-defects-another-heartbleed/, so improving your security habits is certainly important.