Why Heartbleed, the Latest Cybersecurity Scare, Matters

Photograph by Getty Images

Another day, another terrifying computer security vulnerability. A hole in a widely used encryption technology has given hackers a way to infiltrate many of the world’s largest websites and download sensitive information from servers without leaving a trace. The problem, dubbed Heartbleed, has existed for two years but was recently discovered by researchers at Google, setting off a scramble to fix it. Trying to track new security vulnerabilities can be dizzying, but here’s why this one is worth paying attention to:

It affects services you use. The problem is a shortcoming of OpenSSL, which is supposed to protect, by some estimates, more than 90 percent of online communications. Because so many places might be vulnerable, it will be difficult to find everything that needs fixing, says Vincent Berk, chief executive of security firm FlowTraq. “We’re not just talking about Web servers here,” he wrote in an e-mail. “There are other Web-enabled applications and services not typically accessed in a Web browser that use Open SSL, like Web-based accounting services, databases or other internal systems. Businesses may not have updated all of their servers and services—they may have missed patches or forgotten to update internal services, which will put them at risk.”

It became public while it was still a problem. Fixing Heartbleed isn’t a matter of flipping a switch. Companies have to fix their systems, then regenerate cryptographic keys, and they have to do it in multiple places. “The whole thing can get very tricky,” according to Timo Hirvonen, a researcher at F-Secure. “For some service, it might take long to apply a patch, some systems might never get patched, and some may patch without clearly informing users.” You can check to see what’s still vulnerable here.

Hackers are also looking to exploit the holes that remain open. Jaime Blasco, director of AlienVault Labs, says his firm began tracing the vulnerability after it became public and saw significant numbers of attacks using Heartbleed.

We’ll never know how it was used. While researchers have been tracking movement in recent days, there’s no way to know what happened in the two years before Heartbleed was discovered. Someone with access to the exploit could have repeatedly siphoned information from many places for a long time. There doesn’t seem to be a way for websites to go back and see whether they were affected. While it’s possible that no one ever checked the lock on this particular door, OpenSSL has been an attractive target for hackers because of its widespread use, and people have been poking at it for years, says Blasco.

It has a great name. Heartbleed just sounds scary! The name refers to the part of OpenSSL that is vulnerable—the heartbeat, a series of communications sent back and forth between devices and websites. Matthew Green, a cryptographer at Johns Hopkins University, has posted a full technical description of the problem on his blog. “it’s the result of a relatively mundane coding error,” he writes. “And predictably, this makes it more devastating than all of those fancy attacks put together.”

For users, the response is familiar, with one caveat. This serves as a fresh reminder that your passwords are vulnerable, that you should change them periodically, and that you shouldn’t use the same password for all your online accounts. Because you don’t know if you’ve been affected, the safe assumption is that you have been. Change your passwords. Two-step authentication, whereby you enter a password as well as a one-time code sent to you separately, can help protect you if your password has been leaked.

Rushing to fix the problem may not be the answer. If you change your password before the site you’re using has been secured, you could expose your new password. Some experts recommend that people stay off the Internet entirely for a bit. Hirvonen has another idea: “Probably the best thing you can do is to change your password twice: Change it now (protects your account if the password has already leaked), and change it again once the service has applied the patch.”

Before it's here, it's on the Bloomberg Terminal.