The international telecommunications union estimates over 7 billion people around the world (and 83% of Canadians) use the Internet at least once in a year. With so many individuals using the Internet, personal security and safety seems to be an important matter. Though many people trust the websites they visit and do not second guess them when reusing passwords. For example how many people would think their email provider such as Yahoo or Hotmail would be “hackable”? These are owned by multimillion dollar corporations who we expect to have a better grasp of any issues before they could happen. Unfortunately Internet security is not always safe as a new exploit that went unnoticed for over 2 years is now bringing some shocking revelations to Canadians. In this article we will look at the Heartbleed exploit.
What is Heartbleed?
The biggest question many non tech savvy individuals are asking is what is heartbleed? To answer this we need to look at the technology behind password and encryption protection. Many sites rely on OpenSSL which is a padlock of sorts. Websites that store or hold passwords, credit card information or anything else valuable to a user are usually stored behind such locks. With heartbleed these locks are tricked into thinking that the person trying to access the information is doing so through a secure and proper method (imagine a key going into a lock to open it). Just like someone breaking into your home with a key rather than breaking a window or door it is hard to therefore track who has come and gone. This is leaving many big companies wondering if they have been hit and the worry then goes to users to use sites that store or ask for security information.
The Good News about Heartbleed
The saving grace about the heartbleed exploit is that it is not necessarily a blow to website administrators that store sensitive information. The exploit has been found to be patchable. Big companies or sites holding large amounts of info, like the Canadian Revenue Agency (see link below) are now investing the time into fixing such flaws though with so many administrators affected it leaves the users wondering if everyone such as the small businesses who run their own sites or hold smaller quantities of private information will be able patch this exploit.
Change Your Passwords, Check Websites You Entrust with Your Information
As for the internet users there is not much individuals can do. The biggest advice at this time is to change all passwords and to use a different password for each site. If this is done then one compromised site can not give hackers the ability to get all passwords. Another thing to watch for is unusual credit card purchases as these could be a result of hackers stealing sensitive info from an affected site. When purchasing anything on the Internet make sure to read that the site has been patched against the exploit as well, sites that have not been patched should be avoided. If you want to check sites that are entrusted with your information, you can use the LastPass Heartbleed Checker here: https://lastpass.com/heartbleed/ (Note that it only works on sites that use the https:// protocol)
For example, I used it to check https://www.outlook.com and here is the result (click to enlarge):
In conclusion, we see that the heartbleed exploit is serious in the sense that it basically lets itself into private information without leaving a trace of doing so. This therefore leaves Internet users at a loss as even the companies hosting and storing the private information can not tell who was affected. The heartbleed exploit is patchable but in the mean time internet users should change all passwords to something different for each site and reduce usage of credit cards online.
- Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bug: http://www.cra-arc.gc.ca/gncy/sttmnt2-eng.html
- Heartbleed web security bug: What you need to know. (CDC Canada): http://www.cbc.ca/news/technology/heartbleed-web-security-bug-what-you-need-to-know-1.2603988
- Official Heartbleed Bug Website: http://heartbleed.com/