Heartbleed Bug Threatens Internet Privacy

On April 7th, a mass-scale security bug called Heartbleed was publicly announced as a threat to internet users’ security, spreading waves of panic and frantic password changing throughout the internet.

 

Heartbleed is the name for a flaw in an SSL program used as a security measure to encrypt data used in online transactions. Though intended to increase security for internet users, this program in the wrong hands led to compromising breeches of privacy. 

 

Heartbleed attackers were able to use the flaw in the program to their advantage as Zulfikar Ramzan, chief technology officer for Elastica, told The New York Times, “The attacker can start reading data about a transaction and learn things like your passwords and credit card numbers that you thought were kept confidential.”

 

Heartbleed allowed these attackers to take advantage of thousands of unsuspecting internet users. The flaw remained undetected for around two years. 

 

Heartbleed was created through an open-source community, volunteers who work together to create free software. With all these different volunteers working on the very complicated software, the major flaw simply slipped through the cracks. 

 

“This bug was introduced two years ago, and yet nobody took the time to notice it,” A computer science professor and Columbia University, Steven M. Bellovin, told The New York Times.

 

The bug is believed to have left around half a million web servers vulnerable, including Amazon Web Services, Pinterest, Wikipedia, and Reddit, all of whom recommended their users change their passwords. 

 

The Canada Revenue Agency experienced major security concerns related to the Heartbleed bug, leading to a temporary shutdown of all its online services. 

 

“Based on our  analysis to date,” the Canadian Revenue Agency stated in an April 14 post on their website, “Social Insurance Numbers of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability.” The agency announced that they would be notifying all taxpayers who may be affected by the bug and that they would apply greater security measures on their accounts to ensure their identity’s safety.

 

Most affected web servers have applied a patch to the Heartbleed bug, which fixes the flaw and retains the safety and security of the user’s information. This patch, however, is only effective if any passwords or keys are changed, ensuring that any information hackers may have obtained is now invalid. 

 

The bug has attracted massive attention, due to its undetectable nature and the vast number of popular websites that have been compromised. 

 

According to some, the surprising popularity of the bug can also be linked to other sources. “I really believe that the name and the logo and the website [heartbleed.com] helped fuel the community interest in this,” David Chartier, CEO of the company that discovered the bug told The Guardian

 

The press and social media have blown interest in Heartbleed to giant proportions. Heartbleed’s branding has led to quick action in fixing the bug. On April 7th, days after discovery of the bug on April 3rd, patches were available to fix the issue. 

 

A number of websites have requested their users change their passwords to ensure their safety. Numerous online tools such as Google Chrome’s “Chromebleed” and the “Heartbleed test” allow users to check if websites they commonly use have been affected by Heartbleed. 

 

The Heartbleed website recommends that all internet users change as much information and passwords as possible, as it is not known exactly what information or what websites have been hacked. ​