What is the Heartbleed bug?

Good afternoon,

You may have heard in the press recently about a major security threat from the ‘Heartbleed’ virus. Here is some further information about the issue and what steps you can take to help protect yourself.

What is the Heartbleed bug?
Heartbleed is a flaw in OpenSSL, the encryption standard used by the majority of websites to give you a secure line when you’re sending an email or logging into social media websites. Encryption works by making it so that data being sent looks like nonsense to anyone but the intended recipient. Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, and it will send out what’s known as a heartbeat, a small packet of data that asks for a response. Because of a programming error in the implementation of OpenSSL, researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end into sending data stored in its memory.

How bad is it?
Web servers can keep a lot of information in their active memory, including usernames, passwords, and even the content that users have uploaded to a service and so this could all potentially be accessed by hackers.

Am I affected?
You are likely to be affected either directly or indirectly. Your popular social site, email site, commercial site, hobby site, and sites you install software from might be using vulnerable OpenSSL.

So what can I do to protect myself?
Since the vulnerability has been in OpenSSL for about two years and using it leaves no trace, assume that your accounts may be compromised. You should change your online passwords, especially for services where privacy and security are major concerns. However, it is likely that some sites haven’t yet upgraded to software without the bug, so immediately changing them still might not help. The researchers who discovered the flaw let the developers behind OpenSSL know several days before announcing the vulnerability, so it was fixed before word got out yesterday. Most major service providers should already be updating their sites, so the bug will be less prevalent over coming weeks.

You can read more on the BBC website here: http://www.bbc.co.uk/news/technology-26954540

Remember always make your passwords hard to guess -include uppercase, lowercase, number and special characters (!”%^^&*) and avoid using a dictionary word. Ideally you should also have a different password for each website, although we know that can be hard to remember them all.

If you have any questions, please do get in touch

Best regards,

James Risk