Beringer Associates Technology Blog
OpenSSL is an open-source communication security tool used by a majority of websites – up to two-thirds, according to a New York Times report – to encrypt data between businesses and consumers and make sure malicious parties cannot obtain sensitive information. However, cybercriminals have exploited a vulnerability called the “heartbleed bug” – discovered by Google researchers and Finnish security professionals and named so because it pings the messages sent between the two parties to obtain content without a trace.
What is perhaps most disconcerting regarding heartbleed is the fact that its stealthy nature means there is no clear indication of just how many websites have been affected. However, this has not stopped major websites, including Amazon, Facebook, Google and Yahoo, to fix the vulnerability, The Times reported.
David Chartier, chief executive at security vendor Codenomicon, highlighted the dangers of the bug.
“Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there,” he explained, according to the news source.
Organizations are encouraged to download the latest version of the OpenSSL protocol to receive new encryption keys, as well as to update corporate passwords, The Times reported.
What this means for consumers
This news is undoubtedly worrisome for consumers who put their faith in companies’ ability to safeguard their most precious information. The report noted that some data points taken using the heartbleed bug include Social Security numbers, passwords, banking details and storage files. What further makes the vulnerability a potential nightmare for Internet users is the fact that people may not even know that their data has been accessed in the first place.
“Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won’t know if you’ve been compromised,” Chartier said. “That’s what makes it so vicious.”
Some people that learn about the heartbleed bug may think that changing their passwords will protect them from future incidents. Time magazine’s Doug Aamoth recently asserted that this is actually the worst action a consumer can take. Customers who change their passwords risk exposing these new credentials to prying eyes if websites have not updated to the latest safeguards.
So what can people do in this unprecedented situation? Aamoth encouraged consumers to check whether the websites they access have fixed the vulnerability and only then update their passwords knowing the site is protected. The reporter also provided a link to help users determine whether certain websites are still not patched.
The heartbleed bug is another clear indication that cybercriminals are wreaking havoc on the Internet, putting consumers in the middle of a digital battle between security vendors and sophisticated hackers. The good news is that the vulnerability has been identified – the bad news? This is just the beginning of what will be a long process of truly determining the aftermath of what is shaping up to be one of the most disruptive security findings in recent memory.