Bleeding from the source

The Heartbleed bug was discovered by Codenomicon, a Finnish company. The security firm kept the breach under wraps for over a week so the world wouldn’t fall into a panic. The flaw affects over two-thirds of the world’s Internet servers, ranging from major companies like Google and Facebook to microblogs who are asking users to change their passwords.

The bug affects thousands of websites. The protection a user believed they had has now been removed. Web surfers that relied on the Open Secure Socket Layer have found that the Heartbleed bug allowed malicious software to retrieve information about their activity online. Even though 64,000 bytes of information may not seem like a lot, it is still enough to gather data from the client-server connection. A data grab could happen multiple times from a single call, allowing an intruder to grab random 64k of data from any information stream.

A username, password, email and most other content can be captured within 64k worth of information. Though many files are much larger than 64k, it can still give the intruder a decent idea of what is being transferred from a server to a client or vice versa. This has caused Internet users to question their anonymity and privacy when browsing and whether or not they need to change every password. Some consumers have contacted their online banking customer service asking if their accounts have been exposed to the bug.

If the company or content provider has been affected, the user should wait until their content provider has patched the bug. Changing a password or other critical information before the patch will still allow those trying to exploit the bug to succeed because the security flaw is still there.

The flaw in security has existed since March 2012. Ossi Herrala of Codenomicon is recognized as being the administrator that coined the name “Heartbleed.”

“[Ossi] thought it was fitting to call it Heartbleed because it was bleeding out the important information from the memory,” said David Chartier, CEO of Codenomicon.

The bug’s actual name is CVE-2014-0160, based on the line of code it was found on. Yahoo first disclosed the flaw to its users.

Following that announcement, Neel Mehta of Google claimed to have been aware of the bug for several weeks before information went public.

Chartier and his company believed that it was best not to release information about the bug until there was a patch. This means that those who discover a major bug such as this may withhold information and let the bug remain untamed before sharing information with colleagues and other developers to immediately work on a patch.

Though there is now a patch that protects users from the Heartbleed bug, many users pondered that the NSA may actually have been behind the bug due to their recent unveiling of spying on Internet users. These claims are very unlikely since the bug has only been known for a short time. If there were to be any organizations trying to exploit the Heartbleed bug, they would have had to act quickly and get as much information before the patches were released.

A group of coders found a six-hour gap from when the news broke until the Canadian government could patch all their websites and servers, exploited Heartbleed and captured 900 social insurance numbers and other taxpayer information. The Canadian Revenue Agency is currently working around the clock to patch Heartbleed and contact those who have had their information stolen.

It is easy to be misinformed about a security breach of this kind because there is not many who actually understand the process of debugging and patching computer software bugs. Heartbleed may not change everything about staying safe on the Internet, but its a good chance to learn about what appropriate measures you can take to protect online data.