Today, a fellow employee (I won’t name names) stopped by my desk and said he heard about the Heartbleed virus. It caused the Canadian Revenue Agency to shut down its website in the middle of tax season. There’s even quite a few articles calling it a virus. Sounds pretty bad.
What is the Heartbleed bug?
Heartbleed is not a virus. It’s a vulnerability in OpenSSL. It’s a really nasty bug. One that infested over 60% of the web. One that has been around for more than two years.
Wait, two years? That’s a long time for a bug to be out in the open. Herein lies the difference between a bug and a virus. A virus is usually a piece of software written to do evil things. When these are out in the wild, they are discovered fairly quickly and patched by whatever vendor is being affected.
A bug like Heartbleed is only discovered after engineers do something (like running a test or adding new features) to trigger it. Since Heartbleed has been in the wild for years, there’s no way to know if it was discovered in secrecy before, and used maliciously. That’s a scary thought.
Can you be affected?
Yes. If you used any online service that was affected (you likely have) and had an account with them, an attacker could have potentially stolen information that’s stored in your account. Personal, private, financial details. Instant messages, documents, emails. Anything that would be transferred over SSL.
What should I do?
First, check to see if the web site you need to log into has actually applied the patch. Use this tool by Filippo.io to find out.
If the patch was applied, login and change your password.
If the patch was not applied, do not login. Either contact their support team or wait it out until they’ve fixed the issue.
How does Top Draw handle Heartbleed?
At Top Draw, we recommend our clients use a managed hosting solution. This puts the onus of security updates on the experts who are trained to deal with these situations. All of our preferred hosting partners applied the patch within 24 hours of it being known.
Where can I find more information?
Heartbleed.com has the best rundown of what, why and how it all happened.