Dwight Watt - Newspaper Article #248 4/23/2014

Question: What is the Heart Bleed bug?


Last week Google and one other security firm announced they had found a major security bug on the Internet they called the heart bleed bug.  It is not known how much information has been stolen using the bug.

The heart bleed bug is a bug and not malware.  It is not something that spreads like a virus.  This is a mistake that was made in the Open SSL program protocol several years ago that was just now discovered.  Errors in computer programs are called bugs.

Open SSL is used by web servers that use Apache and other open source web servers.  Open source programs are programs that the source code (what the program is written in originally) is available for everyone (not just the compiled code) and usually is updated by lots of volunteers.  Linux/UNIX servers use Apache as their web server.  Android is basically a derivative of UNIX/Linux so it uses the same protocols.  A protocol is a set of rules used to communicate by.

This means that Windows web servers and Apple web servers are not affected.  This is significant in that up to now Linux users have kept saying their machines are safe from most past malware, but possibly the biggest bug turns up on their machines. It does mean you can have had information stolen from a server you were connected to using Windows, just the problem is not on Windows end.

The bug works from a simple approach that has a good purpose but released too much information.  Basically when you connect to a secure web server (when the padlock appears in your browser or it uses https protocol it is encrypting the link between the server and you using SSL).  On open source servers that use Apache they are using Open SSL.  This is estimated to be 60% of the web servers.  The encrypted conversation is established and information is sent back and forth.  However if nothing is sent for a period one end will send a heartbeat message to the other end asking are you still there basically.  The server responds.  Unfortunately with this version of Open SSL it does not just send back just the answer but also sends whatever is in memory at that point.  So if a different machine send a heartbeat to the server it sends back part of memory (the bleed part of the name) also for that machine.  Sorta like you are on phone with someone and it is silence and you ask are you still there and instead of just answering yes they tell you their SSN, password to bank, etc. 

This means that someone may have gotten your passwords associated with accounts.  The bug leaves no trail so there is no way to see what it gave out. 

You should be being notified by secure web sites you deal with whether they were affected and if they were if they have put updates in that fix the bug.  Until fixes are there you don't want to change passwords as they could still be stolen.

It is not a bug that will be on your personal machine unless you are using one specific version of Android, as otherwise it is just on servers and your PCs, tablets, phones are clients.  Android 4.1.1 (also called Jellybean) has the bug and you need to update to Android 4.1.2 if you are using 4.1.1.  You can establish a secure connection using your Android phone is why it is affected on this version.

Even though the bank or other secure site you use says they were not affected you should still consider changing passwords as you may have used that account at another site to get something and the password also somewhere. There appears to be a large impact on gaming as people use credit cards extensively there and most of those servers are Linux/Apache based.

No one really knows the impact of this bug, but the potential is very large.

This is based on my research of the Heart bleed bug and my knowledge of computer security.  I am certified in MTA security and taught basic computer security for several years and recently took a cybercrime MOOC course thru Excelsior College and am currently taking a computer security course online with Cisco.