Heartbleed: What it is and How it Drained the Life Out of Secure Communications

Many of you reading this article may or may not have heard about a recent computer vulnerability called Heartbleed. The question is, with the onslaught of news about computer vulnerabilities and corporate data breaches, is this something that really affects you and something you should be worried about? The short answer is yes. If you have a couple of minutes I will explain what Heartbleed is, how it affects you, and what steps you can take now to protect yourself.

Heartbleed is a vulnerability found in OpenSSL which occurs during heartbeat checks between a client and a server. “Huh? Can we get that in layman’s terms please?” Ok, Heartbleed affects the most common forms of secure communication on the internet such HTTPS transactions, instant messaging, internet email, and VPNs. When you access your bank account, make purchases on the internet, or access internet email like Gmail or Yahoo mail, you are most likely using this OpenSSL protocol to communicate securely between your computer and the remote server you are accessing. 

During this communication process your computer and the remote server are constantly carrying on a conversation. If we were to witness this conversation at a dinner party, it would look something like this:

YOUR COMPUTER: “Hello, I would like to talk to you?”

REMOTE SERVER: “Hello, we can talk, but before we do who are you?

YOUR COMPUTER: “I am a client, see here are my credentials, oh by the way I have some secrets I want to tell you, so can we speak in this secret language?”

REMOTE SERVER: “Now that we know each other, Sure let’s talk and we can talk in this secret language.”

The conversation persists like this the whole time you are checking your email or sending your credit card number across the internet to purchase that last minute gift. Every once in a while your computer needs to ensure that it is still connected to the remote server in between you sending and receiving information. This is called a “Heartbeat” message. It basically checks to see if the connection is still alive and viable. To use our dinner party analogy it sounds something like this:

YOUR COMPUTER: “Hi are you still there? My secret password is B@seB@11 and it is 8 characters long.”

REMOTE SERVER: “Hi I’m still here, your secret password is B@seB@11 and is 8 characters long.”

The two computers communicate this way until the connection is terminated. Okay, so what does all this have to do with Heartbleed, and how does it affect you? Well with the Heartbleed vulnerability someone can jump in and steal data from the session (the discussion between your computer and the remote server) or impersonate your computer. They do this by changing the “Heartbeat” message to send false information. Let’s take a look at what our dinner conversation looks like when Heartbleed is introduced:

HEARTBLEED ATTACK COMPUTER: “Hi are you still there? My Secret password B@seb@11 and it is 110 characters long.”

REMOTE SERVER: “Hi I’m still here, your secret password is B@seB@!!^^%USERNAME: Doe, John//&$Card#3333333330000-exp10/16---?//Email:DoeJ1@awesomeness.com$**PH:314-555-5555”

As you can see, the server now repeats back the information plus a bunch of information that it has stored in its memory. The information can contain anything from usernames and passwords to credit card numbers to randomly generated characters. The hacker can then piece this information together to get the data he/she is looking to steal.

We now know that several popular websites like Facebook, Google, Yahoo, Pinterest, DropBox, Paypal, and others may have likely been vulnerable to this type of attack at one time. Fortunately a patch has been released to correct this issue, but it will still take some time for sites to apply the patch.

So now that you see how this may affect you, here are some simple things you can do to protect yourself:

•   Before logging into a website check to see if they have fixed the issue. There are several sites that maintain lists of fixed and vulnerable sites, or you can use a free website checker like the ones at McAfee.com ,  F-Secure.com, and LastPass.com (Just click on the Hyperlink to go there).
•  Change your password on the affected sites immediately and after they are patched (fixed). Be careful not to utilize any of your old passwords on sites that have been fixed and vice-versa.
• Consider getting a Password Management tool to help you keep track of the passwords.
•  Keep a close eye on your credit card, Paypal, and bank accounts and report unusual or fraudulent activity immediately to those organizations.

I hope this helps you understand a little better what is going on with Heartbleed and what you can do to protect yourself.