The Heartbleed bug, a web encryption flaw which has impacted at least two-thirds of the world’s web servers, made headlines last week. The flaw created an online arena for attackers to steal crucial data without leaving any trace of infiltration.
The software is known as OpenSSL, which is a cryptographic library that enables Secure Sockets Layer (SSL) or Transport Security Layer (TSL). In basic terms, it provides the user with a secure line when sending an email or using IM. Once in a while, one computer may send data to another computer to make sure the receiving computer is still active. The small amount of sent data is known as a “heartbeat”. With the flaw in the software, attackers could trick the recipient computer by sending fake heartbeat packages, after which the recipient computer would send some of its stored data back to the attacker. Think passwords, log in names and even credit card details. The bug was discovered by three researchers at Codenomicon, a computer security company, along with a security researcher from Google.
The Telegraph, a U.K. based newspaper, compiled a list of websites that were or still are affected by the Heartbleed bug.
Sites like Facebook, Tumblr, Google and Yahoo! were all affected by Heartbleed. Users have been advised to change their passwords to avoid being hacked even though many of the sites affected have responded to the situation. “We’ve assessed the SSL vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps and App Engine. Google Chrome and Chrome OS are not affected,” said Google.
Dropbox, a popular file hosting service, was also using the OpenSSL system when Heartbleed was exposed. “We’ve patched all of our user-facing services and will continue to work to make sure your stuff is always safe,” the company said.
Twitter, the popular social media site, was not affected. The company wrote, “On 4/7/2014 we were made aware of a critical vulnerability in OpenSSL (CVE-2014-0160), the security library that is widely used across the internet and at Twitter. We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation.”
In December 2011, the flaw was introduced during an OpenSSL software update. This means that attackers have had opportunities to exploit the flaw for two years. It wasn’t until a recent update that the bug was exposed, and fixed.
Need IT support to monitor and protect your system?
If so, contact Stratosphere Networks, and let us see what we can do for you. We provide a broad range of IT services, including: 24/7 remote monitoring, proactive desktop and server management, email and virus protection, and backup and recovery, to name a few. For more information, call us today at (877) 599-3999, or click here to use our contact form.