ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Heartbleed Bug Leaves Internet Users Open To Being Hacked

Updated on November 22, 2014

What is OpenSSL?

OpenSSL is the most common web encryption program on the internet that users only recognize by seeing HTTPS or a padlock in their top left corner of their screen, telling them that the website is secure. Rarely do they know it by its OpenSSL name.

Privacy notices spell it out, but you - the average user - have no idea how it functions and many don't even take the time to read those privacy notices or Terms of Service.

Check screenshots below to test the sites you use most often.

Tumblr's warning to users

Tumblr's notification to users
Tumblr's notification to users | Source

It is a big deal, no matter if you hear differently!

On Monday, April 8, 2014, trillions of passwords, credit card numbers and other personal information became attractive to hackers when Google's security team learned a bug named HEARTBLEED could access the web encrypted program known as OpenSSL.

It doesn't mean that hackers did access it. What it means is that there is no way to know if they did.

This bug reads the web encrypted program OpenSSL which many websites use to store your private information, passwords, file storage websites, bank and credit cards, as well as your private online conversations - anything this is encrypted with the padlock or HTTPS in top left of your screen.

The HEARTBLEED bug is a flaw affecting 66% of websites on the internet who use OpenSSL web encryption programs to protect the privacy of its users.

The HEARTBLEED bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

This compromises the secret keys that are used to identify the service providers and to encrypt the traffic, users names and their passwords as well as their private content.

The HEARTBLEED bug is an eavesdropper which allows hackers to steal directly from the servers as well as the users so they can go on to impersonate or even steal the identity of each user.

There are always going to be bugs in software and software libraries and there are always going to be patches or new versions introduced. You see this every day when you are upgrading a program or new version of a game, for example.

But the HEARTBLEED bug is rather unique because this bug exposes a large number of private keys to anyone on the internet who is monitoring a site. When you consider the long range exposure (now over two years!), how easy it is to access and attack while leaving no trace behind, this bug should be taken very seriously!

Although a patch has been offered to websites and servers to address their vulnerability, the level of importance this has received has not made them act quickly.

This is partly because the level of the breach was not given a high priority.

Researchers hesitated to call it a virus or even malware. They are calling it a bug at this point because it is a nuisance program that steals information, but does not do any residual damage to your computer as would a virus or malware.

In other words, it does not leave behind adware or malware, so the level of importance assigned to it is low.

Make no mistake about it -- this IS a very big deal.

It is a major breakdown in internet security and the trust level on any site using any type of WoT (Web of Trust) program even if they don't use this version of OpenSSL.

Once any security program or website server has been breached, it reflects on all security programs, because you can't change the public's perception of how secure they feel about their online information.

Anything that attacks or accesses our private information - or information we deem to be private - is a big deal to us, even if the powers that be don't think so.

See screenshots below with link to test your favorite sites to see if they applied the patch (fix). If their grade is not A or higher, I wouldn't change the passwords just yet.

HEARTBLEED bug Update 4/16/2014

This is a great graphic giving lots of detail of affected vs non-affected sites.
This is a great graphic giving lots of detail of affected vs non-affected sites. | Source

Hubpages.com

Last pass for hubpages at 3PM EST on 4/10/2014
Last pass for hubpages at 3PM EST on 4/10/2014

Update: 4/10/2014 - 6pm Est

Matthew Meyer suggested this link to check Hubpages for site health with HEARTBLEED

It gets an all clear!

http://filippo.io/Heartbleed/

Test your secure websites and see how secure they are with this tool

Use this link to see if your domain, website, server is affected. After the first screen, wait 30 seconds, it will give you a second screen with a grade and key exchange. If it says "confusing" just hold on for 30 seconds because the screen is still working and it will give you the second screen. If the results on the first screen give a grade less than A, it is not the final answer because it is a working screen - a screen that gives you a bit of information before it goes on to give you more information on subsequent screens - so hang on for 30 seconds.

Hubpages.com came up "confusing" and while I was entering it in heartbleed.com to see what that site offered, when I came back to Qualys SSL screen, it had given hubpages.com an all clear. heartbleed.com is faster but doesn't give the detailed information that this site does.

So that is what I have to suggest between Qualys SSL screen and heartbleed.com screens.

Keep it bookmarked and go back often to check by entering the URL.

This is a free online service that analyzes any SSL web server on the internet, not just OpenSSL.

If you can't click it, here it is for you to copy and paste it into your browser.

https://www.ssllabs.com/ssltest/index.html

SEE SCREENSHOTS

Screenshots of SSL Server Test (I tested Pinterest, Facebook, Yahoo)

This is the blank form you see on landing page.
This is the blank form you see on landing page. | Source
These are the results I got when I entered yahoo.com - A grade - just good, not perfect
These are the results I got when I entered yahoo.com - A grade - just good, not perfect
These are the results I got when I entered facebook.com. A minus grade - almost perfect
These are the results I got when I entered facebook.com. A minus grade - almost perfect
These are the results I got when I entered pinterest.com.  B grade - needs more work to be trustworthy.  Possibly still in process of applying the fix. Check back in a few hours.
These are the results I got when I entered pinterest.com. B grade - needs more work to be trustworthy. Possibly still in process of applying the fix. Check back in a few hours.

LastPass Instructions

LastPass is another site to use. The screenshot below is only to show you what the landing page looks like. Do not try to enter information on the screenshot.

Click the link under the screen shot or copy and paste this link into your browser.

https://lastpass.com/heartbleed/

Do not click anything else on the site when you get there. It has a download to install a checker on your computer. It also has a Premium set of services that you have to pay for. Just use the Site checker.

You don't need it. Using the free section of their website is good enough!

Use The Last Pass Checker (just check, don't download anything!)

Enter the URL in the box, click SEE IF THIS SITE IS VULNERABLE, and it will give you last update time. DO NOT CLICK ANYTHING ELSE. The site has a checker they charge for you to DOWNLOAD for monitoring. Just use the free part.
Enter the URL in the box, click SEE IF THIS SITE IS VULNERABLE, and it will give you last update time. DO NOT CLICK ANYTHING ELSE. The site has a checker they charge for you to DOWNLOAD for monitoring. Just use the free part. | Source

Notifying the public

Today is Thursday, April 10, 2014 and we are still talking about more than half the affected sites who have not hurried to install the fix.

The damage caused by the HEARTBLEED bug is unknown at this point. The irony is this encryption program has been in use for over two years on millions of websites to safeguard private information, the security hole has been there that long, but the bug has just been discovered on Monday, April 8, 2014.

It is possible that the vulnerability has not yet been detected by hackers, because there have been no reports of a hack or major breach reported by credit card companies or bank, but that doesn't mean there might not be one in the offing.

Any website or server who encrypts data would do well to err on the side of caution and install the patch to heal the vulnerability. (Hint to any web administrator reading this!)

Now that the word is out that the bug has been discovered, it won't be long before hackers practice their trade to see if they can be successful in cracking the bug and/or the patch fixes to send in a virus to attack the bug.

One never knows the repercussions of alerting the public to incidents like HEARTBLEED bug, when it could leave the door open for hackers to take advantage of the same public service announcement and try their hand at making a bad situation even worse by actually doing the dirty deed of stealing the information, thus bringing about the worse fears when the bug was announced in the first place.

If it was a possibility of stealing information on Monday, by now hackers have found a way to make it a reality.

The privacy notices on websites will now have to be revamped and retooled to assure users that their information is safe. It is times like these that we have to wonder.

All you know is that they are assuring you that your safety is their highest priority and that your information is safe with them.

Trust me, it is never going to be 100% safe.

Even with the padlock closed and HTTPS showing on the browser, the HEARTBLEED bug makes it possible for hackers and snoopers to still decipher the encrypted information without the website owners even knowing they were there, if they stole anything or if they are just monitoring the site, using a keystroke logger or employing any number of other ways to snag and store the information on each website.

This is a very slick bug because it is a one way street. The bug can see in, but we can't see the bug or what it is doing until after the fact.

The HEARTBLEED bug leaves no traces of anything abnormal happening to the logs on websites or servers.

It is so very important for each website to install the patch so they are not vulnerable and so they can assure their users that they have their best interests at heart in protecting their private information by upgrading and installing patches, fixes, or install new software to replace questionable software.

This is a good opportunity for affected sites to upgrade security strength of the secret keys they use to safeguard information.

This is a dedicated site where you can read more about AND test your site for safey The HEARTBLEED bug.

How do I know if the HEARTBLEED bug got my information?

If you do any business online, use any website that stores your information, your passwords, your email address, your location and security questions, you are affected! You need to monitor your credit cards and banks for unusual activity.

AFTER all the websites apply the patch to fix their vulnerability, that is when you should change your passwords on each account.

Doing so before then is a waste of time. It will also mean you are giving the bug all your new passwords that you think will safeguard you for the interim until the fix is done. But then you'll just have to do it over again afterward so you have fresh new passwords.

Why is HEARTBLEED not considered a big deal?

To reiterate, The HEARTBLEED bug a bug that breaks down the security of the web encryption program OpenSSL which protects your private information, passwords, email, instant message, bank and credit card information - any information you believe is safeguarded on a site that uses HTTPS (padlock) and promises to store your information.

It is a big deal because if someone steals your personal information, the repercussions can be long reaching into the future, doing irreparable harm to your credit, credit rating, your ability to navigate in this world with your identity which can possibly belong to someone else when they hacked your private information.

Wondering when you should act?

There is no need to wonder.

As soon as you see by the Qualys SSL test (link above) or you get a notice that the websites on the list put in the patch, then it is time to change your passwords on every account you have. Until the patch is in, the website is still not secured.

It is a waste of time to change your passwords now because you will only have to do it again once the website is secure again.

You can also check by clicking this link to monitor CNET's website for updates.

A site to watch for updates

This list is live and going to be constantly updated as sites pass their Qualys SSL Server Test and patch their vulnerable spots. CNET, a major player in determining safe downloads and a dedicated site for up to date news, will maintain the list.

Check in every few hours if any of the sites on the list are your normal hangouts and you will see if their site has done their due diligence to address this awful bug. In the far right column you will see the confirmation from the site and their recommendation.

This is an awful bug, so please keep the site bookmarked, or come back to this hub and it will be updated as CNET is updated.

So if I just wait for sites to fix it, I'm safe, right?

It depends on the website and the website administrators to put the patch in place. Even though the fixed version of OpenSSL is available, they are not ordered or compelled to install the fix.

For example, Yahoo has over 800 million users around the world, but they also control some of the most popular services on the internet that users depend on every day. While they have fixed the top high traffic sites, they still have a long way to go to address all their other website properties, products and services.

See above screenshots for Qualys SSL labs checkup screen.

What you can do to protect yourself, and when to do it

The only way to protect yourself is to change your passwords AFTER the sites apply the patch and to STOP saving your information to servers who promise to safeguard your information.

No matter how easy it is for you to click "REMEMBER ME" or "REMEMBER MY INFORMATION" you do not know who has access to that knowledge - either now or when a breach occurs.

The best thing you can do is what I have been advocating in all the hubs I have written so far about computer technology and that is:

Invest in a little dollar store copybook/notebook and use one page per website to write down your password, your security questions and your sign on information. Put it in a safe place and do not share it with anyone except your immediate survivors so they will be able to access your bank and important information if you should die.

Your Opinion Counts

Was any of this information helpful to you?

See results

Don't Copy, Just Spread The Word By Linking. TYVM

© Rachael O'Halloran. April 10, 2014.

No part of this article may be reproduced without prior permission from the author. Use the following link to refer to this article. Do Not Copy. TYVM

http://rachaelohalloran.hubpages.com/hub/Heartbleed-Bug-Leaves-Internet-Users-Open-To-Being-Hacked

© 2014 Rachael O'Halloran

Comments

Submit a Comment

  • billybuc profile image

    Bill Holland 3 years ago from Olympia, WA

    Great information, Rachael. Nice research done here.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #billybuc, Thank you

  • Jodah profile image

    John Hansen 3 years ago from Queensland Australia

    Very useful hub Rachael. This is a worry. They keep coming up with new ways to steal our information. Voted up.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #Jodah, Thank you

  • TDowling profile image

    Thomas Dowling 3 years ago from Florida

    Thanks Rachael for all the time and effort you put into this Hub. Rated up and interesting. -TD

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #TDowling - Thank you for reading

  • DDE profile image

    Devika Primić 3 years ago from Dubrovnik, Croatia

    A very useful hub on such important information and you mentioned in detail. Voted up!

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #DDE - Thank you for reading :)

  • Thelma Alberts profile image

    Thelma Alberts 3 years ago from Germany

    Thank you for sharing these informations.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #Thelma Alberts - Thank you for reading :)

  • bravewarrior profile image

    Shauna L Bowling 3 years ago from Central Florida

    Thank goodness for your diligence in keeping up with the threats on the Internet. Thank you for this information. Without this hub, I would not have known about the Heartbleed bug.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #bravewarrior - WOW, Thank you very much.

    I noticed this latest threat is not getting much attention on national and/or cable outlet TV (News and Technology segments) and it really should. Probably because it is not a virus or malware and probably because it went unnoticed for 2 years. That's not something to be proud of when reporting about it. lol

    On Hubpages, a couple of forums have been talking about it since mid day on Monday but not overly much, so I can see why you might have missed hearing about this bug.

    Thank you for reading and for your comment

  • CraftytotheCore profile image

    CraftytotheCore 3 years ago

    Wow. I had no idea what this was. Thank you for informing us with your well-researched information.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #CraftytotheCore - Thanks for reading. Check out some of the forums for more recent info.

  • vkwok profile image

    Victor W. Kwok 3 years ago from Hawaii

    Thanks for the info, Rachael. This will be especially useful considering what's been happening recently with social media sites!

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #vkwok - Thanks for reading and commenting. So far I haven't seen any official "all clear" statements to follow up on the original news story.

  • Vellur profile image

    Nithya Venkat 3 years ago from Dubai

    Thank you for the valuable information, voted up and shared.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #Vellur - Thank you for reading and for sharing.

  • brakel2 profile image

    Audrey Selig 3 years ago from Oklahoma City, Oklahoma

    Hi Rachael. This is a great hub and full of good information. I just got my computer back from tuneup,and soon got a really bad virus. I can't get to internet. I will try all your suggestions and hope for success. You did great research and got the scoop. Keep on working on these great hubs. Blessings. Audrey

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #brakel2

    I'm so sorry you got another virus so quickly after getting your computer back. Wow! I am assuming you have a good virus protector, but if you still have the virus, this program (free) will erase it.

    The link I'm giving you is a Norton product and you don't need to already have a Norton product as your virus protection. This is a stand alone (independent) tool to use when whatever any virus product you have misses the virus.

    http://us.norton.com/support/DIY/

    The only hitch with using it is that it may wipe out a legitimate program (a game or such) in which case you'll have to reinstall the program after this one scrubs out the virus.

    The HEARTBLEED bug I wrote about isn't a virus and doesn't damage computers, it just steals your info. lol I don't know which is worse!

    So the update I wrote 4/16/2014 shows the sites that are mostly impacted by the bug and if you have accounts on any of them, then check to see if they have applied the remedy with this link or any of the ones offered in the hub.

    https://www.ssllabs.com/ssltest/index.html

    If they have applied the fix, then change your passwords for those accounts. If they don't have an A, Aplus or a B --or if the message says they are still vulnerable -- don't bother changing your password yet. Wait until they fix the site, or shut down your account so your info is still not on their server. It's been a while, most should be fixed by now.

    Some users feel better changing their password now - knowing the site hasn't applied the fix -and they'll just go change it again after the fix is in.

    Whatever floats your boat, it is just wasted time to do it twice.

    But I have to tell you, I did do it twice because I felt better about doing something, than to sit and do nothing waiting for the sites to apply the patch. It has been a couple of weeks and there are still some who haven't done it, and it is annoying at best. It makes me feel better knowing I have some control by changing my password to safeguard my information, than to have no control and twiddle my thumbs waiting for them to get their act together. I have closed two accounts because the sites are not compliant. If they don't care about the safety of their users' info, then I don't care to be a member of their site. lol

    I hope you can remove the virus with the erase tool I gave you above. Either way, you'll need to get a better virus protector than the one you have, since you got one so quickly. The internet is not a safe place on the best of days and without adequate virus protection, it is not safe at all. lol

    Thank you for your comment and kind words, and good luck with your computer.

    Rachael

  • brakel2 profile image

    Audrey Selig 3 years ago from Oklahoma City, Oklahoma

    Thank you Rachael. What happened was I let Microsoft open cascade style sheets when I was uploading photo. Then a message came on "CSS open ssl" so I went back and said no, but it was too late. Then I started having problems. I am using my husbands computer now. I have a firewall and good antivirus, but wish it was better. If I can get to Internet on mine, I will use your suggestions. You are such a helpful person, and I appreciate all you do. Blessings. Audrey. Once again, great article

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #brakel2

    Thank you and good luck to you.

  • ologsinquito profile image

    ologsinquito 3 years ago from USA

    If only these hackers could use their intelligence for good, instead of evil. Thanks for including the link to check if any site is vulnerable to this bug.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #ologsinquito

    That would seriously cut into their fun factor. lol

    Thanks for visiting and leaving a comment :)

  • brakel2 profile image

    Audrey Selig 2 years ago from Oklahoma City, Oklahoma

    Hi Rachael. I have read your article several times and must congratulate you on how thoroughly you covered the subject in a brief time after the discovery. You have done screen shots and helped this community to understand and take action. Thanks for accomplishing this task Blessings. Audrey and sharing this hub.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 2 years ago from United States

    #brakel2

    Thank you Audrey, what a very nice thing to say! I'm glad to have been of help and I'm very glad this wasn't the bad boy it could have been.

    Thanks for sharing my hub and for your kind words,

    Rachael

Click to Rate This Article