Heartbleed web security bug: What you need to know

CBC

April 10, 2014 at 3:25 p.m.

Your passwords and financial information may have been exposed by a security bug in code used by two-thirds of "secure" websites on the internet, including the Canada Revenue Agency and Yahoo. Here's what you need to know.

Heartbleed is a security bug or programming error in popular versions of OpenSSL, software code that encrypts and protects the privacy of your password, banking information and other sensitive data you type into a "secure" website such as Canada Revenue Agency or Yahoo Mail. Such websites can be identified by the little "lock" icon on your browser.

Heartbleed is not a virus or malware, but could be exploited by malware and cybercriminals.

The vulnerability allows "anyone on the internet" to read the memory of the system protected by the bug-affected code. That way, they can get the keys needed to decode and read the data, according security researchers at the Finnish firm Codenomicon who discovered it.

The bug, named for the "heartbeat" part of the code that it affects, was independently discovered recently by Codenomicon and Google Security researcher Neel Mehta. The official name for the vulnerability is CVE-2014-0160.

The researchers have set up a website with more detailed information.

User names, passwords, instant messages, emails, business documents and business communications were all accessible during tests by the researchers.

"This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users," they wrote on an website with information about the bug.

Some websites using the code are the Canada Revenue Agency site, which was partially shut down Wednesday to deal with the security hole, just weeks before the Canadian tax deadline; and Yahoo services, including email, the Flickr photo site and the Tumblr blogging site. The company said most of its services had been secured by Tuesday afternoon.

A bigger list of popular sites and whether they are affected by Heartbleed has been compiled by the technology website Mashable.

University of Michigan researchers also posted a list of the Top 1000 vulnerable domains as of April 9 at 4 p.m. ET. The only .ca domain was sunnewsnetwork.ca.

According to Codenomicon, OpenSSL is the most popular open-source code used for encryption on the internet. The versions with the bug are used by more than two-thirds of active websites on the internet, as well as email and chat servers, virtual private networks and some hardware devices such as routers.

However, many "large consumer sites" aren't affected because of their "conservative" choice of equipment and software.

"Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most," Codenomicon says.

We don't know. Tests showed that eavesdropping via the bug left no trace.

To make matters worse, the bug-affected code has been used by internet services for more than two years.

"I don't think anyone that had been using this technology is in a position to definitively say they weren't compromised," David Chartier, CEO of Codenomicon, told The Associated Press.

Security researchers detected large number of hackers scanning for the vulnerability across the internet this week.

There has even been one report of possible evidence that cybercriminals were using this back in November.

Yes, but not by you.

A fixed version of OpenSSL was released on Monday, April 7. Websites and other services can be secured by using it or by disabling the affected part of the code. Then it needs to be incorporated into their software and the fixed software needs to be installed. That isn't always easy, especially for certain kinds of devices.

Ari Takanen, chief technology officer for Codenomicon, advises you to wait for an official statement from the internet services you use (indicating that they have fixed the bug) and follow their guidelines.

Typically, that will involve things like changing your password. That is something you may have to do across many services you use.

However, steps like that are useless until the security hole has been fixed for the affected services.

"Changing before the service is patched could expose the new password," said a spokesperson for Google.

Unfortunately, many internet services have not been notifying their users directly about whether they are affected and whether they should change their password now or later.

However, recommendations about whether to change your password now for various sites have been posted by the technology website Mashable.

In the meantime, a number of sites have have been set up where you can check if the web services you're using are vulnerable,including this one by LastPass password managerand this one, set up by Italian security researcher FilippoValsorda.

You might want to stay away from sites identified as "vulnerable" for now.

However, these sites may not give an accurate result from all sites under all circumstances.

Security experts also recommend as a general rule that you use strong passwords that are different for different internet services and that you change them regularly.

As mentioned earlier, the technology website Mashable has compiled a list of popular sites, with information about whether they were affected and suggestions about whether you need to change your password.

Here's are some other services that are not on the list and how they may be affected:

Android: According to the Google blog April 9, Heartbleed only affects Android 4.1.1 and patching information for Android 4.1.1 is being distributed to Android partners.

Canadian banks: Late April 9, Canadian Bankers' Association said there is no need for online banking customers to worry about their private information being stolen.

Canada Revenue Agency: As of April 10, web services were still not available. The agency is expected to provide daily updates at 3 p.m. ET.

Devices running VPN: Devices running the following software were affected: Cisco Systems Inc's AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs have either updated their software or published directions for users on how to mitigate potential attacks.

People
“Call Her Daddy'”s Alex Cooper Models Her Wedding Night Lingerie in Instagram Reveal: See the Racy Look
Cooper wore a sexy lacy bodysuit from SKIMS' Wedding Shop collection after marrying Matt Kaplan in Mexico
18 hours ago
The Canadian Press
Harvey Weinstein’s 2020 rape conviction overturned by NY appeals court
NEW YORK (AP) — New York’s highest court on Thursday overturned Harvey Weinstein ’s 2020 rape conviction, reversing a landmark ruling of the #MeToo era in determining the trial judge improperly allowed women to testify about allegations against the ex-movie mogul that weren’t part of the case. Weinstein, 72, will remain imprisoned because he was convicted in Los Angeles in 2022 of another rape. But the New York ruling reopens a painful chapter in America’s reckoning with sexual misconduct by pow
52 minutes ago
BANG Showbiz
Megan Thee Stallion being sued for ‘forcing cameraman watch her having lesbian sex!’
In a suit being brought by her ex-cameraman, Megan Thee Stallion is being sued for allegedly creating a hostile work environment and forcing her former videographer to watch her having lesbian sex.
2 days ago
Cosmo
Sabrina Carpenter looks practically naked in completely see-through lace mini dress
Sabrina Carpenter went braless wearing the Mirror Palais Anemone Dress in butter featuring illusion tulle adorned with lace appliqués along the neckline and hem
6 hours ago
The Canadian Press
Photographer alleges he was forced to watch Megan Thee Stallion have sex and was unfairly fired
LOS ANGELES (AP) — A photographer who worked for Megan Thee Stallion said in a lawsuit filed Tuesday that he was forced to watch her have sex, was unfairly fired soon after and was abused as her employee. In the suit filed in Los Angeles Superior Court, Emilio Garcia said that after a night out in 2022 in Ibiza, Spain, he was in an SUV with the hip-hop star when she began having sex with another woman right next to him. He was unable to get out of the moving car, and would have been in the middl
2 days ago
HuffPost
Trump Lawyer Argues He Could Legally Order Assassination Of Political Rival
"I'm trying to understand what the disincentive is from turning the Oval Office into the seat of criminal activity in this country," Supreme Court Justice Ketanji Brown Jackson said.
2 hours ago
CBC
Leafs announcer slams home crowd as 'very disappointing'
Longtime Toronto Maple Leafs radio announcer Joe Bowen wasn't shy about his frustration with a listless crowd at Scotiabank Arena Wednesday night, as the team dropped game three of its first-round playoff series with the Boston Bruins.Bereft of many opportunities for his signature "Holy Mackinaw" goal call as the Leafs skaters were held to just two goals — continuing a recent trend over the last several playoff games where the team can't seem to score — Bowen teed off on the crowd for being quie
2 hours ago
HuffPost
'How Embarrassing': Trump Mocked For 'Pretending To Be President' In Strange Ceremony
The former president gave a truly bizarre "White House" gift to a visitor.
9 hours ago
BANG Showbiz
'I'm not a millionaire anymore': Charlotte Church's fortune has gone
She was worth £25 million by the time she was 11 years old but Charlotte Church has revealed her fortune has gone.
a day ago
InStyle
Prince Edward and Duchess Sophie Feel Disappointed by King Charles Royal Title "Snub"
The "chosen ones" are reportedly sad they didn't get new roles after Prince William and Kate Middleton's latest appointments.
4 hours ago
Hello!
Princess Charlotte's secret hidden talent revealed by mum Princess Kate
Princess Charlotte will be celebrating her 9th birthday next week, and she has a cool hidden talent! Her mum Kate Middleton recently opened up about her hobby...
7 hours ago
People
Joan Collins, 90, Wears Sheer, Embellished Top and Oversize Bow for London Date Night with Her Husband Percy Gibson
The couple, who wed in 2002, supported their friend Gabriela Peacock’s book launch at the Broadwick Soho
22 hours ago
Yahoo Canada Style
Montréal Canadiens captain Nick Suzuki announces engagement to Caitlin Fitzgerald in heartwarming Instagram post
The 24-year-old London, Ont. natives connected through social media in 2016.
2 hours ago
People
Kourtney Kardashian's Sexy Bikini Photo from Her 45th Birthday Leaves Husband Travis Barker Melting
Kardashian enjoyed a vacation in paradise with her husband and four kids in honor of "45 trips around the sun"
2 days ago
HuffPost
Donald Trump Will Hate What Mitt Romney Just Said About The Hush Money Trial
"So far as I know, you don't pay someone $130,000 not to have sex with you," the Utah senator remarked about the ex-president's payments to Stormy Daniels.
2 days ago
People
'My Drink Tasted Funny': Pregnant Woman's Last Words Revealed After Alleged Fatal Poisoning by Boyfriend
Jade Benning died on her 25th birthday on March 6 after she was rushed to the hospital the week before
2 days ago
Yahoo Canada Style
'Victoria Beckham, I am so mad at you': Canadian influencer calls out former Spice Girl's new Mango collection over lack of sizes
Toronto-based influencer Roxy Earle says she was excited about the new line at Mango, but was quickly disappointed.
3 hours ago
People
Florida Man Runs Over 11-Foot Alligator with Truck to Save Neighbor from Attack
"We pulled over and I got out of the car and saw that an alligator had him by the leg," Walter Rudder recalled to a local news outlet about the scary incident
2 days ago
People
Billie Eilish on Coming to Terms with Her Sexuality Last Year — and Why She Never Planned to Talk About It
"I've been in love with girls for my whole life, but I just didn’t understand — until, last year, I realized I wanted my face in a vagina," she said
15 hours ago
HuffPost
Ex-Trump Aide Offers Macabre Characterization Of What Happens To All His Loyal Aides
Cassidy Hutchinson also addressed the new indictment of her onetime boss, former Trump White House chief of staff Mark Meadows.
6 hours ago

Latest Stories