Wake of the Heartbleed Bug

Finding a faulty car part used in nearly every make and model, but you can't recall the Internet and all the data you put out on is more simple version of the HeartBleed Bug. More improved version or more details version, a flaw in the OpenSSL open source encryption toolkit that potentially allows for the unrestricted access to server memory, is an incredibly big deal. For the past two years, much of our private online data -- including passwords, credit card information, billing addresses and user names -- stored on some of the biggest Web sites out there could have been accessed by strangers with a little Web know-how.

The problem is that we don't know if the bad guys have found the faults first (the safe money is on "yes"). Due to the nature of the vulnerability, an attacker could have constantly leveraged the vulnerability millions of times over in the last two years on a single server, and we would have no clue. As is standard with any information breach, monitoring your online accounts, including financial statements, for any suspicious activity is the only way to be sure whether or not you're an online victim. 

How Industry reacted :

While it's easy to advise users to keep an eye out on their online accounts and data, the Heartbleed bug is present in millions of major Web sites and Web services due OpenSSL being the default secure-socket layer/Transport Layer Security (SSL/TLS) for the Apache and NGINX Web servers. Those affected include the heavy hitters like Google, Yahoo, Netflix, Facebook, Instagram, Twitter and PayPal. The security industry was quick to react and shortly after Monday night's disclosure of the bug, patches for the vulnerable versions of OpenSSL started to roll out. While this doesn't reverse the two years of potential access to our online data and the information that might have been swiped, it does stop the bleeding. It's now up to online Web sites and service providers to patch their Web servers.

As expected, many of the big names were quick to get their systems patched and get the word out that it's safe to use their services. As of midday on Wednesday, Google announced that it had updated many of its services. "We've assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine," said Matthew O'Connor, Google product manager.  "Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services."

Many others have already followed suit, including Instagram, Facebook and Yahoo. Online users can also check to see if sites are safe before visiting through this online Heartbleed test site.

End User Actions :

"This is probably the worst bug discovered this year. We believed in the security of SSL/TLS, and now discover that it comes with a hole that allows anyone to read our personal information such as passwords, cookies or even server's private keys," said Jiri Sejtko, Director of the AVAST Virus Lab. "We, as end users, simply can't do anything, but make sure we are as secure as possible."

And that means it's time to change all your online passwords. Many sites have already take Symantec's last bit of advice and have instigated password resets for their sites and services. For those that haven't, you may be inclined to go ahead and reset your password on your own. Don't.

The issue is that there still are many who are running the unpatched OpenSSL encryption tool. Changing your password or information on them will change nothing, as your newly changed info is still vulnerable. Security experts recommend completely avoiding sites using the unpatched OpenSSL until the patch has been applied and, once patched, then go ahead and change your password.

For those who may still potentially be running vulnerable versions of the encryption tool, Symantec's Dick O'Brien recommends businesses follow these steps:

• Remember that the flaw lies in the OpenSSL library "and not a flaw with SSL/TLS nor certificates issued by Symantec [or other security firms]."
• Those running OpenSSL 1.0.1 through 1.0 will need to update to version 1.0.1g of the software or recompile OpenSSL without the heartbleed extension.
• If there's concern that Web server certificates have been compromised, contact the firm that issued the certificates for replacements.
• "Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory."