This past month, researchers publicly announced a major security flaw that affects over 66 percent of the internet. The bug, commonly referred to as the Heartbleed bug, is potentially devastating because it could affect nearly any website using one particular method of encryption, including websites that are usually deemed secure, like Yahoo!. This security flaw stems from a problem with the widely-used OpenSSL method of data encryption.
The problem with OpenSSL is that it contains a heartbeat option, which means that while a person is on a website that encrypts data by OpenSSL, her computer sends messages to the server and the server responds to indicate that both are connected. To take advantage of this arrangement, the Heartbleed bug allows hackers to send fake messages to the server. In response, the server sends back information stored in its RAM, which can include sensitive information like passwords, credit card numbers, et cetera. RAM stands for “random access memory,” which is the main working memory in a computer targeted by hackers with this security flaw to divulge private information.
OpenSSL is a free set of encryption tools managed by four European programmers and the open source community, meaning anyone can submit code to improve it or customize it for their own website. The SSL stands for “secure sockets layer,” which causes a lock to appear with the Web address when used by a website. About two years ago, a software developer contributed code with a basic programming mistake that could be exploited, resulting in the Heartbleed bug.
What is so shocking about this is that it was entirely preventable but, due to a lack of resource allocation to auditing the code, researchers and users didn’t notice the bug for years. While it makes financial sense for many businesses to use open source software since it is fairly reliable and cheap, users have to be responsible for the security of their applications. The problem with security flaws is that they don’t appear naturally during the use of the code; instead, they appear only when someone is looking for them by testing the software or actively looking for weaknesses. This work comes down to two interested groups: security professionals and malicious hackers. Security researchers work to find these kinds of bugs first and come up with solutions before they can be exploited by the less virtuous. However, if hackers find these flaws first then they could have access to passwords and other private information indefinitely.
In the past few weeks, firms have been responding to this security flaw by testing their websites and updating security features. Large banks’ websites have been run through a Heartbleed bug “checker” and the following have declared that they are not vulnerable: Bank of America, Capital One, JPMorgan Chase, Citigroup, US Bancorp, Wells Fargo, and PNC Financial Services Group. Major websites like Google and Yahoo! have installed patches to correct for their vulnerability but security experts suggest changing all of your passwords to be safe. Major institutions such as the Defense Department and Department of Homeland Security use OpenSSL but have reported zero attacks as a result of the bug. YouTube and Amazon were also affected but both have fixed any issues users might have with the Heartbleed bug. Bloomberg has reported that the NSA has known about this flaw since 2012, which would mean the spy agency could have had access to passwords, emails, and other vulnerable data. However, an NSA spokesperson denied awareness in an interview with TIME of Heartbleed saying, “reports that say otherwise are wrong.”