Recently my wife announced that the ‘internet had been hacked’. She had been watching the TV News which featured a story about the ‘HeartBleed’ bug and in true popular media style, the story was blown out of proportion… Or was it?
What is the Heartbleed Bug?
Its technical so hold onto your hat and I’ll do my best to de-geek it. Heartbleed relates to Open SSL (Secure Socket Layer protocol) SSL is used for internet connections that need to be secure; say between your PC and your online banking service, or providing credit card details when shopping online. SSL encrypts and so protects the information you pass back and forth ‘on the wire’ from unscrupulous eyes. Open SSL is an Open Source implementation of SSL.
The Open SSL Heartbeat Extension maintains encrypted connections with a communication ‘heartbeat’ . The Heartbleed bug stems from a software glitch in the Heartbeat Extension that unfortunately exposes some memory on each ‘heartbeat’ – hence the name ‘heartbleed’. That piece of memory could be examined for unencrypted information like userids, passwords etc, and then more memory for each subsequent heartbeat.
How does that impact your website?
If your site uses SSL (e.g. for ecommerce etc) via Open SSL you may be exposing your clients to the risk of having their userids, passwords and other secure information they’ve entered stolen.
Your Android phone/tablet might be at risk too
It is possible for a malicious server to use a “reverse Heartbleed” attach to gain access to the client memory (ie for usernames and passwords. Notably Google has confirmed that Android version 4.1.1 (Jelly Bean) has the Heartbleed bug – this affects approximately 50 million Android devices.
This YouTube video shows how Heartbleed can be used to silently hack into your Facebook and other online services on your Android:
How is Heartbleed fixed ?
There is a web server patch available, but even I’ve discovered several commercial web hosting servers that are still not updated. Jelly Bean Android’s are still exposed at this stage…
- Test your website for Heartbleed vulnerability here
- Check your Android’s version
If you have 4.1.1 watch and apply updates as soon as they arrive