What Is the Heartbleed Computer Bug? - dummies

What Is the Heartbleed Computer Bug?

By Michael J. Arata, Jr.

Part of Heartbleed For Dummies Cheat Sheet

The Heartbleed vulnerability, sometimes mistakenly called the Heartbleed virus and officially known in the U.S. as CVE-2014-0160, is found in OpenSSL versions 1.0.1 through 1.0.1f, which contain a flaw in the TLS/DTLS (Datagram Transport Layer Security) heartbeat functionality.

The Heartbleed bug allows an attacker to exploit the heartbeat functionality of OpenSSL by sending a malformed heartbeat request to a vulnerable server. The server responds with random 64 kilobyte blocks of data from the server’s memory that may be completely useless to the attacker — or it may contain individual user names and passwords, security certificates, cryptography keys, and other sensitive data.

  • Heartbleed isn’t a virus. Heartbleed is a bug that has existed in specific versions of the OpenSSL protocol for more than two years. It is NOT some new virus or spyware that is “slowing your computer down.” For most end users, you don’t need to install any new software or scan your computer for an infection. And don’t bother forwarding the inevitable e-mail warning from your mother (which she received from “Microsoft”) that foretells doom and gloom because of the “Heartbleed Virus”!

  • Heartbleed affects up to two-thirds of all Internet websites. Industry analysts estimate that as many as two-thirds of all Internet websites may be running vulnerable versions of OpenSSL. Popular websites that have been affected by Heartbleed include Google, Facebook, DropBox, and Yahoo Mail.

  • Understand the ‘S’ in ‘HTTPS’. Although Heartbleed affects much more than just web servers, for end users it’s important to know what types of websites may be affected. E-commerce shopping websites, financial institutions, Internet e-mail, and social media — basically any website that requires you to login with a username and password — are all potentially vulnerable. These websites typically have an address that begins with HTTPS — ironically, the ‘S’ stands for ‘Secure’.

  • Heartbleed is going to slow things down for a while. Heartbleed is causing a frenzy of activity on the Internet. Service providers are busy updating their servers, revoking and re-issuing security certificates, investigating potential data privacy breaches, and communicating with their customers and patrons. Additionally, millions of users (like you) are diligently changing their passwords on the various sites that they frequent. All of this activity means web browsing is going to be a little slower until the dust settles on Heartbleed.

  • Your Android’s heart bleeds too! Version 4.1.1 of Android Jelly Bean is vulnerable to the Heartbleed bug. This means sensitive data on Android smartphones and tablets may be at risk. Google is releasing a fix, but not all devices are compatible with the fix. Devices that cannot be upgraded beyond 4.1.1 and thus remain vulnerable to the Heartbleed bug, as of this writing, include

    • Asus PadFone 2

    • HTC One S

    • Huawei Ascend Y300

    • Sony Xperia E

  • Mobile apps may also be vulnerable. According to Trend Micro, as many as 6,000 mobile apps — regardless of the mobile operating system (meaning apps available from App Store, Google Play, and others) — may be affected by Heartbleed. These apps use OpenSSL on the server backends rather than the mobile device itself, so there’s no way for an end user to tell if a particular app on their device is vulnerable.