What is Heartbleed?

In late April, students may have received an e-mail from Western Carolina University’s IT department warning you of a new threat to the internet named “Heartbleed.” The warning was accompanied with a statement that your password for numerous services offered by the school including MyCat, Blackboard and wireless internet would need to be changed if you wished to continue using those resources.

Heartbeat

Originally discovered in early April by Codenomicon, a Finnish cyber security company, the Heartbleed threat is a result of a bug in OpenSSL, the security standard for a majority of websites that handle secure data. In theory, this kind of security ensures that anything sent over a secure channel, like and e-mail or instant message, would only appear to the people involved in sending or receiving the data, anyone not intended to see what is being sent would receive an unintelligible mess.

The exploit known as Heartbleed is a flaw in the design and implementation of an extension to OpenSSL known as Heartbeat.

“The idea behind the Heartbeat Extension was that it would allow clients to check to see if a connection to a server was still open and if the server was still responding. It could do this by sending the server some data and the size of that data and asking the server to send that same data back.” Said Hunter Parker, an employee of WCU’s IT department.

Playing off of this check-in system, the Heartbleed bug functions by asking a server for more information that is typically stored on the server “If you sent the server 1 byte of data and told server that you sent 32 bytes the server would return your 1 byte and then 31 more from the RAM that you didn’t send but were already there from previous operations by the server….”

While getting more data than originally requested for one user doesn’t seem like much, Parker explains the reality of the danger Heartbleed presents is actually quite large “Now imagine that this server had also just recently accepted several user’s login credentials. The 31 other bytes that the server returned to the earlier request could contain passwords or usernames or both and more” said Parker.”

Impact and Prevention

According to a report by Codenomicon, the most vulnerable forms of OpenSSL has been in use for a little over two years, the overall impact of Heartbleed is difficult to measure.

While many clients using this form of security are working to address the issue, Parker says there are things users can do to protect themselves going forward “In order for client’s to protect themselves currently the best recourse is to change passwords. If you use the same password then change them all because even if you change your password on a site that was using the vulnerable version of OpenSSL but it remains the same elsewhere then the login information that might have been taken would still be very harmful in those places.”

For a list of popular websites that are subject to the Heartbleed bug, click here