The software that is meant to keep your Credit Card transactions, email, online banking and passwords safe is broken
A basic error in a cryptographic software library that underlies the security of most of the internet has broken it and therefore has MASSIVE consequences for you.
Heartbleed
The error allows anyone on the internet to steal information protected by the https:// function of websites or secure communications function (SSL/TLS) for email, instant messaging and VPNs
The error is what is known as a buffer overflow and it’s in the Open SSL library. An error in library software is a bad thing as people use various bits of library software as building blocks to other, bigger, systems on the assumption that they just work
The error allows anybody to request random blocks of memory from a server or device, UNDETECTED! These blocks of memory contain all the information that a Hacker needs to totally compromise the server and watch (and capture) all the transactions/email/information flowing through it. Unfortunately it is a totally trivial thing for a bad guy to do and there is no protection other than upgrading all the servers and devices affected.
Hardware as well as software
The bug in this library allows anyone on the internet to read the memory of the systems protected by the affected versions of OpenSSL. Presently you have no protection if a site, router, or VPN system you are using is constructed using the library with the error. Somewhat annoyingly Cisco, F5, Aruba, Blue Coat, Fortinet, Juniper, Sophos, WatchGuard all are affected and will require some form of upgrade. Pretty much all versions of Linux are affected and will need some form of upgrade, Apache & Nginx (66% of the internet server market) are also affected and will need some form of upgrade.
Don’t use Online Banking for a while
As this vulnerability has been around for a couple of years any Banking websites will need to replace their SSL certificates after having patched their systems before online banking is safe again. So don’t use online banking, or your banking iPhone/Android app until you have confirmed with your bank that they have fixed the issue.
If you use any form of VPN you should check with your supplier/company as to their status in regards patching OpenSSL and re issuing certificates. Again you cannot assume that it’s safe unless you have done so.
More information
- Heartbleed.com
- The Guardian : Heartbleed: don’t rush to update passwords, security experts warn
- BBC: Scramble to fix huge ‘heartbleed’ security bug
- Google News : Heartbleed
