What is Heartbleed?
Heartbleed is the name given to a security bug which affects a widely used piece of software called OpenSSL. Using SSL (Secure Sockets Layer), websites can provide encrypted information to visitors, so the data transferred (including usernames, passwords, and session cookies) cannot be seen by others while it goes from your computer to the website.
Heartbleed exploits a built-in feature of OpenSSL called “heartbeat”. When your computer accesses a website, the website will respond back to let your computer know that it is active and listening for your requests; this is the heartbeat. This call and response is done by exchanging data – normally when your computer makes a request, the heartbeat will only send back the amount of data your computer sent. However, this is not the case for servers affected by the bug. A hacker is able to make a request to the server for data from the server’s memory up to 65 kilobytes.
The data that can be obtained by this request may contain data left behind from other parts of OpenSSL. As this data is just a raw memory dump, what’s stored in that extra memory space is completely random. As more computers access the server, the memory at the top is recycled. This means that previous requests may still reside in the memory block the hacker requests back from the server.
Should I be worried?
At the time that the bug was initially discovered, about 17% of the internet’s services were thought to be affected. Thankfully, as the OpenSSL software is Open Source, this bug was very quickly patched and all major service providers (Google, Amazon, etc.) as well as online banks and building societies have now updated their SSL certificates and OpenSSL library, so you should have nothing to worry about.
Big Wave Media’s clients and services are not affected by this bug.
All client websites and web services were (and are) unaffected by the Heartbleed bug. Clients do not need to take any action.
In general it is advisable to change any passwords for third party services though, particularly any confirmed as initially vulnerable (such as Google and Yahoo).
It is a good habit to change your passwords regularly. When doing so, follow these good security practices:
- Don’t use the same password across multiple services
- Select passwords with 10 or more characters
- Use at least upper and lower case letters, in addition to numbers.