Saturday, April 12, 2014

Heartbleed Bug



Even if you read a little about tech news, I doubt you may not have not heard the name Heartbleed bug. It has shaken the internet geeks! But what is this buzz all about?

What is a Heartbleed?

Heartbleed bug is a serious vulnerability in one of the implementation of SSL/TLS cryptography protocol which is OpenSSL. The scary thing is, OpenSSL is used by the 2/3 of the websites on the internet. And this bug went undetected for 2 years.

How serious is this bug?

Quoting the security expert Bruce Schneier,  
            "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

What is the risk?

This security bug can allow attacker to read arbitrary 64kb chunk of server memory. The vulnerability lets a hacker access up to 64 kilobytes of server memory, but perform the attack over and over again to get lots of information.  This allows the tracking the username, passwords and cookies. The Heartbleed bug is putting millions of passwords and credit card numbers at risk.

As reported by Mark Loman, he was able to see username and password in plaintext using this vulnerability.


What can I do to make sure I am secure?

If you have access to server, you will need to install latest OpenSSL patch. If you are just a user, you can do nothing until website / web server administrator has fixed the issue. Once the issue is fixed at sites, we recommend you to change your passwords ASAP. To check if the issues is fixed on  aparticular site, check : http://filippo.io/Heartbleed/ .

How do I know if I am not compromised?

Unfortunately, exploitation of this bug leaves no traces of anything abnormal happening to the logs as said on heartbleed.org . You won't find any abnormality in your log if you've been compromised.

Which famous sites were affected by this bug?

Being a most famous SSL implementation, this was being used by most of the website. Few of the famous sites allegedly affected are below:
·         Facebook
·         Instagram
·         Pinterest
·         Tumblr
·         Twitter
·         Google
·         Yahoo
·         Gmail
·         Yahoo Mail
·         GoDaddy
·         Intuit Turbo Tax
·         Dropbox
·         Minecraft
·         OkCupid
·         Stackoverflow