So what’s all this about the Heart Bleed bug that everyone’s talking about?

In brief

  • The Heart Bleed bug is a bug accidentally written into encryption software (OpenSSL) – unless you believe in conspiracy theories
  • OpenSSL is used on many computers (servers) to securely communicate with other computers (you and me)
  • The Heart Bleed bug allows hackers to steal data (usernames, passwords, credit card details) from affected computers

Tell me more…

When a server initiates a secure connection to a user, a complex ‘negotiation’ is done between the 2 computers to establish security of the communication.  To check that the other computer is still present and hasn’t “dropped off”, small “heartbeats” of data are sent to “keep alive” the communication between the 2 computers, rather than repeating the complex negotiation that was performed at the beginning of the communication.

The Heart Bleed bug is a bug accidentally written into the OpenSSL encryption software used by a huge number of website to establish and maintain secure connections between computers.  The bug allows hackers to send a fake packet of data as a “heartbeat” which tricks the receiving computer to send data from its memory back to the hacker.  The hacker can repeatedly send fake “heartbeats” and build up a record of more and more memory from the computer that has been “tricked”.

The data sent from the “tricked” computer can include usernames, passwords, credit card details, personal details and (worst of all) the encryption keys that actually encrypt the data sent from the computer.

Is it bad?

Yep.  Pretty bad.  Especially as there’s no way to see whether any of your data has already been stolen or not.

How do we fix it?

Most of the fixes need to be done by the people running the affected servers.  However, there are some things that you can do:

  1. check whether the sites you use are affected – using this link.  If they are, get onto the people managing the server and get a fix asap
  2. consider changing your passwords – see this link
  3. consider having completely different usernames and passwords for your various secure sites