Why You Should Be Terrified of the Heartbleed Bug -- And What You Can Do About It
There's a horrid security bug going around and you probably caught it already. Or rather, some of your favorite sites caught it and you'd be smart to change your passwords there. Disturbingly, this massive threat to online security and privacy comes from the very software that's supposed to protect our data flows.
How bad is it? Security expert Bruce Schneier calls it a "catastrophic" flaw. "On the scale of 1 to 10, this is an 11."
The bug is known as Heartbleed and lets attackers random data out of Web servers with no risk of detection. Most of these random data chunks will be unreadable noise, but some it it may contain encryption keys, user logins and passwords, or credit card numbers, just to name a few sensitive data types. One tiny chunk at a time, it's possible to siphon out most of the server's memory contents.
The name refers to two technical aspects to the bug: reading data returned from a malformed "heartbeat" request and bleeding information out of the very heart of your system.
Heartbleed is not related to the hacking attacks on Target last fall. That was a focused effort by criminals to ferret out credit card information from Target's systems and used sophisticated special-purpose software to get it done. Heartbleed is just a simple software bug and not a targeted attack, but the doors it opens lead to scary places that Target never had to visit.
It's been around for two years, and appears to have been exploited over the last five months. The memory-reading flaw affects millions of websites using the popular OpenSSL security package. Anything running on Linux or BSD systems of a certain vintage is up for grabs. Even elsewhere, popular Web server software such as Apache and nginx often use the affected software. Together, these two software solutions serve up 66% of all Web requests today, including more than 70% of the Internet's busiest sites.
Let's put our tinfoil hats away
The flaw was not introduced by the NSA, the CIA, Scotland Yard, or the Illuminati. It was a simple programming error made two years ago, forgetting to check the size and validity of a data request before sending out a response. The developer who made the error calls it a "trivial" mistake with "severe" consequences.
OpenSSL is open-source software, meaning that anybody could have found the error and submitted a patch to plug the Heartbleed memory hole. But despite its very heavy usage in the real world, few developers actually work on this package. Any bug is shallow and easily fixed, given enough eyeballs looking at the code -- but OpenSSL just didn't have enough of those flaw-finding eyeballs. That's why the bug wasn't detected for two years.
Intelligence agencies may very well have found and exploited the bug at some point, but it's impossible to find out unless Edward Snowden's unreleased papers talk about it.
What to do right now
So, what happened to your data and what does a regular Web surfer do now?
The good: Fixing the Heartbleed bug is very simple, and many sites have already patched their systems.
The bad: Smaller sites with lower IT budgets and less tech expertise may not have plugged this hole yet -- and some may never get around to it.
The ugly: Your sensitive data may already have been trawled out of vulnerable servers, even if the Heartbleed fix is in place today.
It's time to take action.
Mashable keeps a handy list of major sites, noting which of them were affected by Heartbleed and which passwords you should change right away.
Keep an eye on your email inbox. Site owners may reach out to let you know that something was amiss and that it's high time to update your passwords anyway. This is not spam but a serious call to action. For example, I got a note like that from Pinterest this morning:
If you're feeling proactive, there's a plugin for the Chrome browser that lets you know if a site you're visiting is vulnerable to Heartbleed. Install it and browse like you usually do and the tool will let you know when something's amiss.
Or you can go directly to the data source behind the Chrome plugin, checking sites by hand before stepping on potentially infected ground. This Heartbleed checker actually runs an attack on your behalf, extracting a handful of bytes just to see if it works. The tool works in any modern browser and, no, you don't get to see the snatched data.
I use the Lastpass app and browser plugin to manage my own passwords. This tool also checks your database of stored passwords for Heartbleed vulnerability, making it a convenient starting point. Lastpass also supplies its own single-site checking tool, taking press statements into account to present richer information about each site.
For starters, these tools will show you that The Fool is safe as houses because our servers don't use any of the exploitable software. Other sites may not be so lucky. My online stock broker, for example, gets a red flag from Lastpass. How about yours?
So, it's not the end of the world, but you might want to go on a password-changing spree of epic proportions. And if you're just a little more paranoid, you might want to cancel every credit card you've ever used online and order up replacement cards. For once, that's not a crazy thing to do.
Thanks, Target: Your credit card may soon be completely worthless
Speaking of credit cards, the plastic in your wallet is about to go the way of the typewriter, the VCR, and the 8-track tape player. When it does, your wallet will get less vulnerable to hack attacks -- and a handful of investors could stand to get very rich. You can join them, but you must act now. An eye-opening new presentation reveals the full story on why your credit card is about to be worthless -- and highlights one little-known company sitting at the epicenter of an earth-shaking movement that could hand early investors the kind of profits we haven't seen since the dot-com days. Click here to watch this stunning video.
The article Why You Should Be Terrified of the Heartbleed Bug -- And What You Can Do About It originally appeared on Fool.com.Anders Bylund has no position in any stocks mentioned. The Motley Fool has no position in any of the stocks mentioned. Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.
Copyright © 1995 - 2014 The Motley Fool, LLC. All rights reserved. The Motley Fool has a disclosure policy.