New Internet bug will be hard to eradicate

Posted: April 13, 2014

Let's cut to the big question:

Should I change all my passwords?

Answer: Yes, but not right this moment.

Millions of people are asking the italicized question above. Why? Because a terrible thing has been happening to the Web, for two years, without detection, and it affects most people who use it.

It's called the Heartbleed Bug. Its discovery was announced Monday, jointly, by folks at Google and those at a Finnish company called Codenomicon.

We will explain the name below, but focus for now on the Bug.

Many of the major servers and websites on the Internet - meaning "most of the ones you use" - depend on a protocol that protects information. It's called OpenSSL. It basically turns sensitive information into gooble-gobble. It encrypts it so prying eyes cannot see.

Basically, some evil hacker discovered that the designers of OpenSSL had left a little back door swinging open. This genius designed Heartbleed, which exploits this back door, and slips in and out of supposedly locked-down servers and sites, sipping information in little tiny sips. In and out, leaving no trace.

Passwords and user IDs. Encryption keys. Private information. Supposedly off-limits secrets of how these sites and servers work. So much information exposed over two years without anyone knowing. According to Codenomicon, Heartbleed "allows attackers to eavesdrop on communications, steal data directly from the services and users, and impersonate services and users."

Heartbleed found its way into OpenSSL in December 2011 and was "out in the wild" as of March 2012.

Very big sites used by millions may have been compromised. Sites like Google, Amazon, Yahoo, and Netflix. (All of them acted quickly to slam that little back door and batten all hatches.) Open-source Web servers like the much-used Apache and nginx.

Actually, it's not as bad as portrayed above. It's worse.

On Thursday, the world learned that some of the computerized equipment via which people create networks on the Internet - made by names such as Cisco and Juniper - are riddled with Heartbleed. Cisco or Juniper products shipped or purchased before Monday (when Heartbleed was announced) could be infected. The Huffington Post quoted cybersecurity researcher Bruce Schneier as saying, "The upgrade path is going to involve a trash can, a credit card, and a trip to Best Buy." Nice.

This means many bad things. The bug may infect some home-networking hardware. E-mail servers, security firewalls (for example, the McAfee firewall, made by Intel), PCs, phones, even maybe some mobile phones are vulnerable. Some online games and related software. Some online encryption services such as Tor. Reuters quotes an expert saying that version 4.1.1 of the Android operating system, nicknamed Jelly Bean, is vulnerable.

Back to the name. You get the "bleed" part. So tiny and so quick are these little thefts that no one knew. For more than two years. Astonishing and awful. Because, of course, once you have such information, you can wreak a lot of havoc.

The "Heart" part is insidious and heartbreaking. The weakness in OpenSSL is in something called "the heartbeat extension" of its security protocols. The "heartbeat extension" is a howdy-do process by which a server connects to a network. (It's called a "heartbeat" because it pumps out little 64-kilobyte pulses of info.) Heartbleed gets the heartbeat extension to bleed the contents of its memory, so the hacker can read all the traffic between the vulnerable server and all its clients.

When one of my accounts was hacked, I changed my passwords and user IDs. Do you have to do that? On every site you use (if you can even remember them all)?

Wouldn't hurt. Especially if people are asking you about weird e-mail you sent. Or if you're getting nice e-mail from yourself.

But don't do it right away.

The folks who have the big fixing to do, right now, are the servers and sites you use. If you changed all your passwords and the sites didn't plug the leak, you could get hacked all over again, wasting your effort.

Like Yahoo and Netflix, thousands and thousands of sites and servers are scrambling right now to correct the weakness in OpenSSL (a new, stronger Fixed OpenSSL has now been released), get new security certificates, and change their programs and protocols to safeguard everything all over again. Some of the bigger sites and companies are being a little cagey, but you can bet that their white-coated guys are frantically pounding the keyboards.

You should:

Find out if your favorite server is vulnerable. You can go to sites such as the Heartbleed Test ( and enter a URL or host name. CNet is running a constantly updated list ( of the 100 most popular vulnerable servers.

Even if they say they've fixed everything, ask again and make sure they have. Only when they say yes, definitely, patch patched, new certificates gotten, all clear . . . then

Dump all the history and cookies out of your Web browser. 

And then - change your passwords.

In time, most of the Web will be fortified against Heartbleed. But what's stolen is way down the road. Time to get strong and more vigilant.

215-854-4406 @jtimpane

comments powered by Disqus