'Catastrophic' Heartbleed bug: how to protect yourself

An encryption flaw called Heartbleed has exposed large swathes of the internet, prompting some IT security experts to warn internet users against even using the web for the next few days.

As Bruce Schneier, a renowned security expert, said in a blog post on Wednesday: "Heartbleed is a catastrophic bug . . . on a scale of one to 10, it is an 11."

So what exactly is the Heartbleed flaw, how did it get introduced, who is potentially affected and what can you do to prevent being compromised? We answer those questions and more below.

What is the Heartbleed flaw?

The Heartbleed flaw is a bug that was found in some of the latest versions of an open source cryptography library used by millions of websites globally, called OpenSSL. Many websites use OpenSSL when implementing that golden "lock" and "https" in the URL of a web browser. When people see these in a browser, they tend to feel a website is safe as they know their data is supposedly being encrypted between them and the website.

But the flaw that was discovered by Google security engineer Neel Mehta and by staff at a security firm called Codenomicon showed this was not always the case. They found a bug in the code of OpenSSL that allowed a malicious person to extract from a website's server 64 kilobytes of its internal memory at any one time.

This is bad. Really, really bad.

If this data was extracted enough times, the researchers found that an attacker would have been able to steal usernames, passwords and financial information – basically any piece of information being pushed through a server's memory. They also found that a server's private key – the key only it is supposed to have and what it uses to encrypt communications – was able to be extracted by a malicious person. With this key, an attacker can impersonate a website and sit in the middle of a victim's internet connection and a "secured" website to access encrypted data and decrypt it.

This is why security experts are prompting website owners to replace their private keys, just like they would replace their house keys if the key was stolen.

"At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies," Schneier said.

Worse still, the researchers who found the Heartbleed flaw say that when exploited it did not leave any traces on logs of website servers.

How did it get introduced?

The bug was introduced into OpenSSL about an hour before New Year's Eve in December 2011 by Robin Seggelmann. There is already a conspiracy theory going around about whether it was inserted maliciously.

"The real question is whether or not someone deliberately inserted this bug into OpenSSL and has had two years of unfettered access to everything," Schneier said. "My guess is accident but I have no proof."

Who is potentially affected?

You. If you used one of the affected websites – and there are many – the information you have given to it with encryption enabled has been exposed but not necessarily stolen or extracted.

That is why it has been labelled "catastrophic".

Many, many people are affected by this bug. Not only website owners.

Are online banking facilities affected? If not, why?

Australia's banks have moved to reassure customers. Most have said they are unaffected. This is due to the fact that most do not appear to be using OpenSSL for their online banking websites.

NAB said it had "not been exposed" to Heartbleed.

"Our customers do not need to change their internet banking passwords," it said.

Westpac said it was aware of Heartbleed but was "not susceptible".

ANZ said it was unaffected. 

Commonwealth Bank said that it had "patched against the Heartbleed bug". It is understood, however, that only the bank's main website was affected and not its online banking website, NetBank.

This means that CBA financial data was highly unlikely to have been compromised by the flaw.

What sites have been found to be vulnerable?

So far Fairfax Media has been able to confirm the Federal Court's Commonwealth Courts Portal, JB Hi Fi, Priceline and Australia's Community Emergency Response Team websites were vulnerable and have been patched or are in the process of being patched.

Priceline and JB Hi Fi have previously acknowledged the flaw, while CERT refused to comment.

A Federal Court spokesman said on Thursday that the Commonwealth Courts Portal had been patched and a new certificate obtained.

"The Commonwealth Courts Portal has only been using the impacted version of OpenSSL for a short time," a spokesman said. "We will be placing a notice on the site as soon as the certificate is updated advising users to change their password as a precaution if they have any concerns."

A number of other Australian business websites are also known to be exposed and have not patched against Heartbleed.

What can you do to prevent being compromised?

Information you submitted to vulnerable websites over the past two years may have been captured by criminals or intelligence agencies. The issue now is that it is a bit hard to check whether websites were vulnerable, as many have since patched the flaw and are not telling people whether they were affected. Some responsible websites are though. Below are some steps to take.

If you are a consumer:

1. Change your passwords on any and all websites that contain sensitive data. But, before you do, check if the websites have been upgraded to patch the problem. If you change your password and the website has not been patched against Heartbleed, then you are giving a hacker a new password. You will also want to make sure that the website has renewed its private encryption key. There is no easy checker for this yet but you could always ask representatives for the company if they have updated their keys.

2. Monitor your credit card and bank activity and report suspicious charges.

3. Contact website owners to make sure they have patched and tested their servers.

4. Web anonymisation software Tor has said that people should probably hop off the internet for a couple of days while big and small websites work to patch their servers against the flaw. Tor said if people valued their privacy, this was probably the best option for the time being. Many people, however, require the internet to do their job, so this is not very practical. 

If you are a developer, system administrator or businesses owner with a website that uses encryption (that little padlock icon in a web browser), you need to patch your website's servers:

1. Update OpenSSL to a version without the vulnerability. Check heartbleed.com for a list of OpenSSL versions affected and not affected and test again after any update.

2. Reissue and reinstall SSL certificates on affected servers (the private keys). If your server was vulnerable, your private keys may have been compromised. Those keys could be used to decrypt any data your customers send to your website through SSL. You need to create a new key and request a new SSL certificate from your vendor and install it on your server. Many certificate providers appear to be doing this for no cost but some are charging.

3. Contact customers and request that they reset their passwords. Yes, this is awkward but it is probably the best course of action to take to protect your reputation and their security.

Source of some of the advice: buckeyeinteractive.com

smh.com.au

Smartphone
Tablet - Narrow
Tablet - Wide
Desktop