Heartbleed bug shakes the foundation of the Web

The widespread security flaw, discovered this week, leaves much of the Internet at risk of exploitation. Here's how it works and what you can do to protect yourself.

By MSN Money Partner Apr 10, 2014 10:27AM

File picture illustration of the word 'password' pictured on a computer screen between lines of binary code © PAWEL KOPCZYNSKI/Newscom/ReutersBFortune on MSN Moneyy David Nield, Fortune


Late Monday afternoon, the details of one of the most serious security problems to ever affect the modern Web were posted online. Dubbed Heartbleed, the vulnerability has major companies scrambling this week to patch their systems and could have been exploited to harvest data from millions of users.


The bug has been in the wild for more than two years, and leaves no trace of suspicious activity. Some estimates suggest that two-thirds of the Web has been at risk since 2011.


Heartbleed affects OpenSSL, one of the key technologies used to encrypt data online. It allows attackers to retrieve sensitive information such as usernames, passwords and credit card details from servers running the software. While OpenSSL is not used by the likes of Google (GOOG), Microsoft (MSFT) and Apple (AAPL), it's a popular choice for countless companies large and small.


A hacker making use of the Heartbleed vulnerability can "fish" for random chunks of data on a vulnerable server. While these chunks are small, the process can be repeated again and again, and leaves no trace of any breach.


The data packets returned to the hacker could include log in details, private information, email messages and even encryption keys. Those keys are particularly important, allowing a hacker to successfully emulate the site in question, leaving no clue that it isn't genuine.


Investigative journalist and security researcher Brian Krebs has posted in depth about the exploit. He tells Fortune: "Attackers can steal the 'keys to the kingdom,' as it were -- the private encryption keys that websites use to encrypt and decrypt all communications with visitors. As broad-scale Internet vulnerabilities go, this one is about as dangerous as it gets. While there are probably fewer than a half million sites that are vulnerable right now, many of the vulnerable sites have millions or even hundreds of millions of users."

Krebs points to online lists and tools that can be used to test for Heartbleed. Big-name portals such as Yahoo (YHOO), Flickr, OKCupid, Zoho, 500px, Imgur and even the F.B.I. were identified as being vulnerable as the news broke. Many sites have now put fixes in place -- as of Wednesday morning, Yahoo says it has rolled out an upgrade for the majority of its sites. E-mail servers and instant messenger communications are also at risk.


For any company that has a presence on the Web and uses OpenSSL, this means an urgent round of upgrading and patching -- or an urgent call to the relevant Web hosting firm. The latest version of OpenSSL fixes Heartbleed, but a lengthy and involved process of renewing security certificates and resetting encryption keys is also required. Even when the bug has been eradicated, there's no knowing how much data was lost in the interim, and the repercussions could be felt for years to come.


"Many Internet users will probably be asked at least once this week to change their passwords at various sites," Krebs says. "Affected website administrators have to replace the private keys and certificates for their OpenSSL installations after patching the bug. And since this exploit for many sites seems to leave few traces behind, many organizations will probably want to be on the safe side and will be advising users to change their passwords as well."


As far as end users are concerned, there's not much choice but to sit it out and avoid affected sites until an update has been rolled out. Resetting passwords will help to shore up the breach, but only after the sites in question have been upgraded. The usual common sense approaches -- keeping a close eye on credit card bills and watching for suspicious activity online -- are among the best steps to staying safe.


"People often joke that 'Oh, perhaps we should stay off the Internet' in response to certain threats, but in this case I think that may not be a horrible idea," Krebs says. "If you happen to log in to a site that is vulnerable, there is a more than trivial chance that some attacker will steal your credentials . . . the problem is that it's not readily apparent to the end user which sites are fine and which are still vulnerable."


The bug was first spotted by coders working for Google and Codenomicon, who posted an information page online and christened the vulnerability "Heartbleed" because it takes advantage of a common OpenSSL extension called Heartbeat. "Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL," warns the announcement.


This week, IT managers across the globe will be working feverishly to get their systems up to date, and praying that no one took advantage of Heartbleed. The most worrying part? They may never know.


More from Fortune


11Comments
Apr 10, 2014 10:50AM
avatar
It SHOULD shake up everyone. After a couple of decades of the DUMBEST most ARROGANT smart people taking away personal identity safety, making us pay for internet security that regularly doesn't do it's job, crappy services in need of constant debugging and updates AND THEN the emergence of an i-Phone that literally sucks brain cells and competence out of the user's body... it finally comes to this... WE WERE NEVER SAFE. THIS ISN'T THE FUTURE. GET OFF YOUR TEXT AND GET A SKILL SET THAT CONTRIBUTES TO A REAL ECONOMY. REVOKE ALL DEGREES BRINGING OUR SOCIETY TO IT'S KNEES AND REVIVE FREE ENTERPRISE. Don't like it? Get the EFF off the planet permanently. 
Apr 10, 2014 10:59AM
avatar
It isn't nice to build back doors in your system so businesses can screw their customers. Not to mention NSA.
Apr 10, 2014 2:12PM
avatar
Seems very possibly of government origin!
Apr 10, 2014 11:02AM
avatar
Not a real shocker after yesterday; nothing but decent news this morning but we all know news are irrelevant down here, people move markets and, after starting sort of flat to a bit up manipulators started doing their thing at about 1045 hrs and now we are dropping; they are having a feast once again with the Nasdaq....Long way to go of course, lets see if this afternoon we can come back a bit. Sadly, these scumbags are taking over slowly but surely...More later.
Apr 10, 2014 11:08AM
avatar
"WE WERE NEVER SAFE. THIS ISN'T THE FUTURE. GET OFF YOUR TEXT AND GET A SKILL SET THAT CONTRIBUTES TO A REAL ECONOMY. REVOKE ALL DEGREES BRINGING OUR SOCIETY TO IT'S KNEES AND REVIVE FREE ENTERPRISE. Don't like it? Get the EFF off the planet permanently. "

Yep, between GMO foods, pollution of our Air and Water, Earth may never recover as folks are far too concerned about texts and hashtags as opposed to Reality.
Report
Please help us to maintain a healthy and vibrant community by reporting any illegal or inappropriate behavior. If you believe a message violates theCode of Conductplease use this form to notify the moderators. They will investigate your report and take appropriate action. If necessary, they report all illegal activity to the proper authorities.
Categories
100 character limit
Are you sure you want to delete this comment?

DATA PROVIDERS

Copyright © 2014 Microsoft. All rights reserved.

Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.

ABOUT TECHBIZ

Start investing in technology companies with help from financial writers and experts who know the industry best. Learn what to look for in a technology company to make the right investment decisions.

RECENT POSTS

Would you pay $700 for Sony's new Walkman?

Hand-carved from an aluminum block, the 128-gigabyte ZX1 resurrects the iconic portable music player -- minus the cassettes -- for premium buyers in search of high-quality audio.

VIDEO ON MSN MONEY

RECENT QUOTES

WATCHLIST

Symbol
Last
Change
Shares
Quotes delayed at least 15 min

MSN MONEY'S