Ann Arbor Area Business Monthly
Small Business and the Internet

Heartbleed Bug

May 2014

By Mike Gould

Once again, Internet security is front page news. This time around, the issue is one of fundamental security, not viruses, phishing, the NSA, or the usual malware stuff I'm getting really tired of writing about (and you are getting tired of reading about, no doubt). The problem this time is a web vulnerability called Heardbleed.

As I write this, the usual two weeks before publication date, news media are still in a froth of breathless reportage on the wherefores and howcomes. So what does it mean to you, Ms/Mr Small Businessperson? Well, rather a lot, so gather round the old post-apocalyptic oil drum fire and I'll spin a tale of woe, wow, and WTF.

(Speaking of which, it's the middle of April and there are three inches of fresh snow on my deck. WTF indeed, but I digress.)

Blame
First of all, it's not your fault. You didn't download anything, click on a bad web page, or respond to a Nigerian prince. You are just at the mercy of faceless techs who set up the servers you talk to when you go about your Internet business. And they are at the mercy of the folks who write the software that run their servers, their wonders to perform. The problem is that your identity information, passwords, SSNs and the like, are at risk if they were on a server with this vulnerability.

In this case the culprit is a bit of security code, the app that runs web connections involving something called OpenSSL. Remember when I talked about secure connections to websites using addresses that involved https:// in their URLs instead of the usual http://? Well, neither do I and a quick trip back to my archives (URL below) failed to turn up anything, but I could swear I covered this back in the day... I know I mentioned something somewhere about seeing a little lock icon in the address bar of your browser: when you see this, it means you are communicating with someone/something securely, via an encrypted web SSL connection.

Background
Anyway, when you go to a site with the https:// prefix, it means you are logging into the site securely. Instead of your web traffic going through in clear (i.e., as you type it in with no special encoding), what you are typing is first encrypted and then decrypted at the other end, by the server serving whatever secure page you are logging into. In other words, someone who intercepts your web communications will be unable to dig out your credit card info because that data is encrypted. Bad guys intercepting your digital traffic are called "Man in the Middle" attacks; they sit between you and the server you are logging into and intercept your communications, hoping to snare an SSN or whatever. Encryption prevents this.

Crypto
Back to OpenSSL: this is the technical means of doing that encryption/decryption business. "Open" means that it was developed by the open source community - geeks working for nothing or nearly nothing just because they can and because it helps out fellow geeks doing geek stuff on servers and such. It is to be remembered and treasured that much of the serious web infrastructure code is open source: the Apache web server app being a case in point. Figures vary, but as much as 50% of the web sites out there are running on Apache, which is available at no cost and very well supported by a community of good-hearted individuals of geekish tendencies. Long story. Suffice it to say, open source is generally a good thing except when it breaks, as it did this time, big time.

The "SSL" part of the above stands for Secure Sockets Layer, a way of describing the encryption process mentioned above. A more recent version of this is called TLS, which stands for Transport Layer Security. This was also comprised by the Heartbleed bug.

Enough background already, what happened and why should I worry?

Angst
Well, a programmer (we actually know who this is, but I will not out him here - he is basically a good person working for next to nothing in hopes of making the world a better place), in the process of updating a little bit of code, kinda goofed, wrote in a bad command, and enabled a means of getting data out of a server in an un-intended way. Two years ago. There is an excellent web comic called XKCD, and it has an excellent description of the process, which anyone can understand. URL below.

Heartbleed, by the way, is a reference to heartbeat, which describes the way encryption services synchronize themselves. A corruption of this process enables bad people to extract data via the SSL connection. Long story - STFW (Search The Fine Web) for more details if you are interested.

The problem here is that there is no evidence on the various servers that they have been hacked. A bad person can log in, exploit the bug, and walk away with vast amounts of stolen data without anyone being the wiser.

You May Be Safe
Ah, but not all servers run this flavor of code, so users of those servers are safe. There is a run down of affected web entities on Mashable, URL below.

How do you know if your passwords and such are vulnerable?
First, go to the Mashable site and see which services you use that are at risk. For instance, Facebook, Google and Tumblr were vulnerable. Were they hit? No one knows, but they are encouraging users to change their password. LinkedIn, Amazon, Apple, and others were un-affected, as they don't use OpenSSL.

Once the vulnerability became known, webmasters world-wide scrambled to fix (patch) the problem, but in the meantime, many passwords and other personal data were at risk.

So What To Do?
Well, changing your passwords are a good start, but, if the server involved hasn't yet been patched, you are still at risk.

As TidBITS (a tech email list I subscribe to) put it:

Should I change my password at every major site I use?
-- No. Only change your password if both of the following are true:
* You know a site was vulnerable.
* You know it is now patched.

XKCD on Heartbleed:
http://xkcd.com/1354/

Mashable list of affected sites:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Index of previous articles:
http://mondodyne.com/b2b/index.shtml

Mike Gould still feels somewhat secure, though not as secure as yesterday, was a mouse wrangler for the U of M for 20 years, runs the MondoDyne Web Works/Macintosh Training/Digital Photography mega-mall, builds laser display devices, performs with the Illuminatus 3.0 Laser Lightshow, and welcomes comments addressed to mgould@mondodyne.com.

MonodoDyne <M> The Sound of One Hand Clicking...
734 904 0659
Entire Site © 2016, Mike Gould - All Rights Reserved