MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.


I'm not curious

No Need to Get Tragic for Heartbleed

Published on 24 April 14
308
0
1
The Heartbleed issue went full steam ahead out of nowhere at the second week of April, leaving most of us scratching our heads in confusion. What happened? Why are there a lot of warnings and websites proclaiming to their readers that they are safe from "Heartbleed"? A lot of us who are not at all versed in the world of geekery were left to ask (since we didn't know what he fuss is all about), what we need to do. Is there a need to update the antivirus program in our laptops?

Do we need to stop with ll the file transfers we are doing using the USB 3.0 docking station stand? Can you log in to your email, bank, and other sensitive accounts without fear of things like identity theft? Unfortunately, the answers have not been that decisive and reassuring for us common folk who do not think of technology 24 hours a day.
No Need to Get Tragic for Heartbleed - Image 1
So, without further ado, here are some points that should clarify the Heartbleed issue to appease us once and for all:

Question: How does Heartbleed work?

Heartbleed affects a kind of software called OpenSSL, which is used to beef up security of some of the world's most popular and used web servers. Through OpenSSL, websites can present encrypted information to their visitors, which in turn allows visitors to give very sensitive data to the websites (such as passwords, cookies, and usernames) without them being seen by others while going from the computer to the website.

OpenSSL happens to be an open source program, which means its developers were not hired by a company, but instead volunteer to make and improve on the project. Version 1.0.1 of OpenSSL happens to gave a bug (a mistake of the programmer) that allows for anyone to get information from the web server's memory undetected.

OpenSSL has a built-in feature called heartbeat, a response of a website to let a computer know that it is active and has acknowledged whatever request a user has input into the computer. These requests and acknowledgements are done through data exchange. In normal cases, when a computer makes a request, the heartbeat only returns the same amount of data as what the request sent. But for servers that are affected by the bug, this is not the case. The hacker may send a request to the server and request data over the total amount of data in the initial request.


The data that is over the first request may contain things left behind from the program's other parts. When more computers access the server, recycling of memory at the top happens. This means that requests done before may still be in the memory block the hacker requests back from the server. In those bits of data sent back to the hacker, things like cookies and log-in credentials may be included, which hackers would, of course, exploit.

Question: what should we do, then?

station to transfer files or disable all your email accounts. It has been found that the number of servers that have been actually affected is fewer than what was originally thought. Original estimates reveal that 60% of all servers had the bug, but newer studies claim that only close to 18% have it. That's still a lot, but significantly lower than the first estimate. Besides, once the bug was discovered, a patch was released, which assures all servers who have used the patch that it would not be a problem anymore.


While the threat of Heartbleed has diminished, it has still left a bitter taste when it wrecked havoc. For us, common people, there is only one thing to do: change the passwords of the services that you deem to be most important. While you're at it, make sure your passwords are difficult to crack by missing uppercase and lowercase letters and including symbols and a number or two. It is also recommended that you vary your passwords and not use one password across accounts.







The Heartbleed issue went full steam ahead out of nowhere at the second week of April, leaving most of us scratching our heads in confusion. What happened? Why are there a lot of warnings and websites proclaiming to their readers that they are safe from "Heartbleed"? A lot of us who are not at all versed in the world of geekery were left to ask (since we didn't know what he fuss is all about), what we need to do. Is there a need to update the antivirus program in our laptops?

Do we need to stop with ll the file transfers we are doing using the USB 3.0 docking station stand? Can you log in to your email, bank, and other sensitive accounts without fear of things like identity theft? Unfortunately, the answers have not been that decisive and reassuring for us common folk who do not think of technology 24 hours a day.

No Need to Get Tragic for Heartbleed - Image 1

So, without further ado, here are some points that should clarify the Heartbleed issue to appease us once and for all:

Question: How does Heartbleed work?

Heartbleed affects a kind of software called OpenSSL, which is used to beef up security of some of the world's most popular and used web servers. Through OpenSSL, websites can present encrypted information to their visitors, which in turn allows visitors to give very sensitive data to the websites (such as passwords, cookies, and usernames) without them being seen by others while going from the computer to the website.

OpenSSL happens to be an open source program, which means its developers were not hired by a company, but instead volunteer to make and improve on the project. Version 1.0.1 of OpenSSL happens to gave a bug (a mistake of the programmer) that allows for anyone to get information from the web server's memory undetected.

OpenSSL has a built-in feature called heartbeat, a response of a website to let a computer know that it is active and has acknowledged whatever request a user has input into the computer. These requests and acknowledgements are done through data exchange. In normal cases, when a computer makes a request, the heartbeat only returns the same amount of data as what the request sent. But for servers that are affected by the bug, this is not the case. The hacker may send a request to the server and request data over the total amount of data in the initial request.

The data that is over the first request may contain things left behind from the program's other parts. When more computers access the server, recycling of memory at the top happens. This means that requests done before may still be in the memory block the hacker requests back from the server. In those bits of data sent back to the hacker, things like cookies and log-in credentials may be included, which hackers would, of course, exploit.

Question: what should we do, then?
station to transfer files or disable all your email accounts. It has been found that the number of servers that have been actually affected is fewer than what was originally thought. Original estimates reveal that 60% of all servers had the bug, but newer studies claim that only close to 18% have it. That's still a lot, but significantly lower than the first estimate. Besides, once the bug was discovered, a patch was released, which assures all servers who have used the patch that it would not be a problem anymore.

While the threat of Heartbleed has diminished, it has still left a bitter taste when it wrecked havoc. For us, common people, there is only one thing to do: change the passwords of the services that you deem to be most important. While you're at it, make sure your passwords are difficult to crack by missing uppercase and lowercase letters and including symbols and a number or two. It is also recommended that you vary your passwords and not use one password across accounts.

This blog is listed under IT Security & Architecture Community

Related Posts:
Post a Comment

Please notify me the replies via email.

Important:
  • We hope the conversations that take place on MyTechLogy.com will be constructive and thought-provoking.
  • To ensure the quality of the discussion, our moderators may review/edit the comments for clarity and relevance.
  • Comments that are promotional, mean-spirited, or off-topic may be deleted per the moderators' judgment.
You may also be interested in
Awards & Accolades for MyTechLogy
Winner of
REDHERRING
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url

Back to Top