Internet bug Heartbleed gathers private user information


If you’ve been on the internet recently (guaranteed as you are more than likely a college student reading this column), you’ve likely heard about Heartbleed. It’s scaring nearly every major site and server out there. Though an internet bug isn’t anything new, Heartbleed in particular has had every developer and coder working night shifts to avoid having their security completely compromised.

But through all the fear-mongering, which is genuine since almost two out of every three servers are vulnerable, many are still confused what, exactly, Heartbleed is.

The simplest way to describe Heartbleed is that it’s an exploitable programming error in OpenSSL, a widely-used piece of coding software. So it isn’t a “bug” in the strictest sense but rather an Achilles’ heel. The way it would work is that someone could use a virtual “handshake” with an HTTPS server using a vulnerable version of OpenSSL to access up to 64KB of private memory space.  By sending back a marginal amount of information back to the server, the server would respond back with 64KB from itself.

Though that’s hardly any significant amount of memory, an attacker can use it in a clever way so that it can repeatedly keep sending information back. Among the information that would be sent back and forth would be cookies, emails and passwords and doing it repeatedly can leak entire encrpytion keys, such as private SSL keys that monitor HTTPS traffic.

Now here’s where it gets really scary: By having access to a website’s private SSL key, an attacker could project a fake version of the website and directly steal any information that a user could send, be it passwords, private messages, credit card numbers; pretty much anything that you would want private is susceptible.  These attacks can neither be detected by users nor website owners.

Now many websites have already worked recently to patch up their websites but the list of sites that had been affected shows how vulnerable everyone was: Facebook, Pinterest, Tumblr, Twitter, Dropbox, Google, Yahoo Mail, Etsy, GoDaddy and even entertainment sites like YouTube, Netflix, Minecraft.

To reiterate, the way Heartbleed would work is that if someone used the programming error in OpenSSL, they could put up a “false” front page of Netflix or your email host and whatever you would type would go directly to that coder. The implications are huge, since it is so easy to do. Though websites are constantly patching up their versions of OpenSSL to fix the potential exploit, there’s no way of knowing if an attack has occurred and no way to tell if it’ll happen anytime in the near future.

The frightening thing is that this has not only been a glaring error in OpenSSL for two years, but Bloomberg recently reported that the National Security Agency had known about the Heartbleed vulnerability shortly after the affected version of OpenSSL had been released.

The NSA denied knowing about the Heartbleed vulnerability prior to April 2014 in an official statement released last Friday. But if the potential overreaching of the NSA wasn’t already unnerving, consider the fact that for two years, hackers from any organization have had the capability to create “fake” versions of websites using OpenSSL and record anything that was input into that website at the time. And that respective website, be it Gmail or your Facebook, would be none the wiser and neither would the person that was being monitored. Though one would hope that if the NSA used Heartbleed to gather intelligence, that they only used it for suspicious activity, it’s doubtful they would be selective with such an effective means of tracking.

Now this might just be everyone overreacting since we always hear about how vulnerable we are were something like this to happen. For the most part, however, many of us still feel secure in putting our information in the hands of the internet.  This is a topic for another day, but our digital profile is becoming more and more robust — and we demand having that private information accessed on our end at all times.

The best thing you can do is what you should’ve been doing in the first place: change your passwords often, research what sites are and are not vulnerable and consider, if you must, a private encrypted browser (or add-on). Be smart, be diligent and always consider that even if you don’t think you’re being watched, it’s always a possibility.

 

Robert Calcagno is a graduate student studying Animation. His column, “Tech Talk,” runs Mondays.