A Canadian Guide to the Heartbleed Bug

What is the Heartbleed Bug?

Heartbleed Bug

The Heartbleed bug is a recently identified bug in the OpenSSL security protocol toolkit. OpenSSL is widely used on web servers to encrypt user data.In general, software bugs are computer program error that cause the software to behave in an unexpected way (e.g., crash, produce a wrong output). Security bugs are a special kind of bug that can lead to a security vulnerability which allows the software system or the data stored in the system to be accessed in a way that was unintended.

Bugs exist in almost all software and they rarely get the media attention received by the Heartbleed bug. Why? Well, most bugs don’t have the potential impact that this bug has on society. The Heartbleed bug affects:

  • User privacy: systems that are affected can share personal information about users. For example, the Canada Revenue Agency (CRA) had 900 social insurance numbers stolen because of this bug.
    :: Personal data stolen from CRA website using Heartbleed bug [Globe & Mail]
  • Software and services availability: in some cases systems that are affected have to be taken off-line in order to fix the bug and to protect user data. For example, the CRA temporarily shut down their major web services last week.
    :: Canada Revenue Agency online services may be shut down until the weekend [The Star]
  • Monetary losses: besides the cost of rapidly patching this bug and securing affected systems there is a potential for companies impacted by the Heartbleed bug to face monetary loses as a result of a decrease in consumer/user trust.

What software is affected by the Heartbleed bug?

The short answer is that any system that uses OpenSSL 1.0.1 or 1.0.2-beta is affected by the bug.

Right now, most of the media is focused on the effect Heartbleed has on web servers and web services. Heartbleed is largely viewed as Internet security bug since most secure connections on the web use OpenSSL. However, it is possible that this bug may leave a much larger set of systems and services vulnerable. Recent reports indicate that the version of OpenSSL containing the Heartbleed bug is used on everything from firewalls, phones to computer hardware.

What can I do to protect myself and my data?

Unfortunately the Heartbleed bug has already been around for 2 years prior to being discovered by security professionals. What is unclear is who has known about the bug before it was made public and what data people with this knowledge may have accessed over the past several years. I believe that once companies and governments move their attention from securing their systems to a post-mortem assessment of the damage/risk incurred, there will be more reports on data breaches caused by the Hearbleed bug.

The average user needs to consider three things moving forward:

  1. What websites, software and services have I used that were vulnerable to Heartbleed? Mashable has been maintaining a list of affected sites and this is the most complete resource I know for identifying what websites you use that were affected.
    :: The Heartbleed Hit List: The Passwords You Need to Change Right Now [Mashable]
    Another great resource for users of the Google Chrome web browser is a a new plugin called Chromebleed which will notify you when you visit a Heartbleed-affected website.
    :: Chromebleed Notifies You if a Visited Site was Hit by Heartbleed Bug [Lifehacker]
  2. Have the Heartbleed-affected websites, software and services I use been fixed and do I need to do anything as well? The Mashable Heartbleed Hit List also provides this information and will let you be confident that the website and software you use is safe and that your data will not be exposed.
    For most sites the only action you will have to take is to change your password (since it may have been exposed to others by the Heartbleed bug). If you use an exposed password for other websites that were not affected you should also change these websites passwords as well.
  3. I use a Heartbleed-affected websites that has not yet been fixed, should I panic? Personally, I wouldn’t panic but I would consider what personal information is stored on this website and I would continue to use the site only if I was comfortable with the knowledge that it was not secure and that others may be able to access my data. Most website and software companies have fixed the bug or are in the process of fixing it. If you are concerned that an affected website or service you use has not yet been fixed you can visit that company’s main webpage and they should have an announcement or update regarding the status of their Heartbleed bug fix. Also, as a final comment if a website has not fixed their Heartbleed vulnerability yet you should wait to change your password.

What are the technical details behind the Heartbleed bug?

The developer who wrote the source code containing the Heartbleed bug said it was accidental and referred to it as a “simple programming error” [PcPro]. OpenSSL released the following security advisory on April 7, 2014 concerning the Heartbleed bug:

OpenSSL Security Advisory [07 Apr 2014]

TLS heartbeat read overrun (CVE-2014-0160)

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

Leave a Reply

Your email address will not be published. Required fields are marked *