The Heartbleed Bug is an OpenSSL vulnerability that would allow malicious hackers to steal information from websites that would normally be protected by the SSL/TLS encryption. The open source OpenSSL cryptography library is used to implement the Internet's Transport Layer Security (TLS) protocol.
Named by the researchers who discovered the security flaw, the Heartbleed Bug theoretically lets anyone on the Internet access a secure Web server running certain versions of OpenSSL to obtain site encryption keys, user passwords and site content.
According to the official Heartbleed Bug website, OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable while OpenSSL version 1.0.1g patches the security flaw.
Heartbleed Flaw Creation and Bug Discovery
The Heartbleed bug was initially discovered by Google engineer Neel Mehta and the Finnish security firm Codenomicon. The security flaw was introduced in the open source OpenSSL encryption protocol by German software developer Robin Seggelmann. Since the flaw has become widely known, Seggelmann has said the bug was inadvertently missed by himself and another code reviewer and the bug was not inserted maliciously, despite online conspiracy theories concerning Heartbleed, such as NSA using the Heartbleed bug to spy.
The Heartbleed Bug in the News
Heartbleed Bug Rumors
RCMP asked Revenue Canada to delay news of SIN thefts
Heartbleed bug bites millions of Android phones
Heartbleed bug: What’s affected and what passwords you need to change
Tests confirm Heartbleed bug can expose server's private key
There are few documented cases of attacks exploiting the Heartbleed bug, but security experts warn that using the bug would leave no trace and all websites using the affected OpenSSL versions should be considered compromised.
While many large sites, including Google, Facebook and others were quick to note services were "safe" from Heartbleed, the public announcement on April 8, 2014 seems to have prompted attacks. The Canada Revenue Agency (CRA) shut down it public online services to patch for the flaw but before the fix was implemented the CRA said 900 social insurance numbers were stolen from CRA computers by persons exploiting the Heartbleed bug.
In another reported attack, UK-based parenting website, Mumsnet, also claims to have experienced a breach where the infiltrator claimed to have used Heartbleed to access an account. The site provided some details to its users along with instructions on how to reset site passwords.
Heartbleed: Beyond the Internet
The Heartbleed bug extends beyond the Internet. For example, mobile devices running the 4.1.1 Android operating system (released in 2012) have the Heartbleed software bug. All other versions are immune to the flaw, but this leaves millions of smartphones and tablets vulnerable. In addition, operating systems, including Debian Wheezy (stable), Ubuntu 12.04.4 LTS, CentOS 6.5, OpenBSD 5.3 and OpenSUSE 12.2 are versions that have shipped with a vulnerable OpenSSL version (see full list).
- Watch Datamation's editor James Maguire moderate roundtable discussions with tech experts from companies such as Accenture, Dell, Blue Jeans Network, Microsoft and more »
The following compilation of small business marketing tips highlights some of the expert advice published over at Small Business Computing. Read More »Taking Ownership through Digital Governance
Taking ownership of our own misjudgments or simple forgetfulness takes a healthy amount of humility and some honest self-assessment. Yet sometimes... Read More »Have We Become a World of Addicts?
It's hard to imagine our lives without smartphones. But people who suffer separation anxiety when they don't have their phones nearby may be in... Read More »
With cost and security in mind, we look at five cloud storage options that will suit the needs of most home and SMB owners. Read More »Windows 10 Tips for Desktop PC
Five basic tips to help you customize Windows 10 on your desktop PC. Read More »29 Free Android Apps for Cash-Strapped Students
From wacky alarm clocks to lecture hall tools and after class entertainment, these Android apps are a good fit for a student's life and budget. Read More »