Heartbleed bug: Everything you need to know

Since news of Heartbleed OpenSSL vulnerability broke at the start of April, web sites across the globe have taken steps to shore up their defences against it.

Meanwhile, web users have found themselves on the receiving end of conflicting advice about whether they should take action and change their passwords or do nothing and wait for the internet service provider community to sort things out.

In some cases, end users are being urged to change their passwords anyway, but - perhaps - without really understanding what it is they're taking action against.

Here, we run through the information that has been documented about Heartbleed to date to help inform your response to the debacle.

What is Heartbleed?

Heartbleed is a vulnerability that security researchers uncovered within the popular OpenSSL crytographic software library, which could be used by hackers to eavesdrop on web users' internet activities.

Security group Codonomicon tested the vulnerability and discovered it could be used to steal user names, passwords, emails, instant messages and other documents without leaving a trace.

How does it work?

The Heartbleed affects the integrity of the SSL/TLS encryption used to secure internet services and transactions.

Its origins relate to a programming mistake in the heartbeat extension of OpenSSL, which mistakenly provides access to 64KB of memory that could be seized on by hackers to scrape vulnerable data, 64KB at a time.

How long has the flaw been known about?

Reports about its existence emerged at the start of April 2014, but security researchers claim the flaw may have existed for around two years.

Who is affected?

OpenSSL is widely used to secure online connections, and to underpin the security of web servers, email programs, VPNs and chat services.

For this reason, the Heartbleed saga has the potential to run and run, according to Yogi Chandiramani, director of systems engineering at network security company FireEye.

This is because its effects are likely to be far more wide-reaching than many seem to appeciate at the moment, he told IT Pro.

"There has been a lot of reaction from the security industry [to Heartbleed] and a lot of organisation. It's been very impressive to see how websites have updated their certifications and so on... but that's only - I believe - the tip of the iceberg.

"SSL is not just used for connecting to financial services, online payment and retail and so on, it's also used a lot internally and therefore [Heartbleed] could be leverage internally as a bug in internal applications, such as internal ERP apps, internal ticketing systems and even when managing devices," he explained.

Has there been any reports of Heartbleed being exploited to date?

Parenting advice forum Mumsnet confirmed that it had fallen victim to the vulnerability, despite rolling out a fix for it shortly after news of Heartbleed came to light.

Hackers seized on the flaw to post messages purportedly from Mumsnet CEO Justine Roberts that derided its members, and declared the site was being put up for sale.

The Canada Revenue Agency recently announced that 900 social insurance numbers, amongst other data, had been compromised by an attack on its site brought about by the OpenSSL flaw.

A 19-year-old man was arrested and charged in connection with exploiting Heartbleed to carry out the data theft on 17 April.

What can I do to protect myself and my organisation?

A fix for OpenSSL has been released, and widely deployed by website owners and vendors, so an element of protection against it has already been taken care of on behalf of end users.

As reported by IT Pro, the OpenBSD Foundation has also started work on a new, forked version of OpenSSL (dubbed LibreSSL) to help safeguard users and the sites they use against similar problems in the future.

Further to that, many sites are advising users to reset their passwords just in case hackers have pilfered their data before a fix was issued for use at a later date.

This is precisely what happened in the case of Mumsnet. The site successfully patched the OpenSSL vulnerability on 9 April, but hackers used data obtained before it was applied to make fraudulent posts.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.