Tiffany White, Illustrator
On April 9. a massive and unforeseen software lapse took the Internet protocol by storm, gripping every inch of news and social media with a cacophony of wailing and gnashing of teeth. “Heartbleed,” as the bug came to be called, was titled a “catastrophe” and “the security event of the century,” quickly surpassing the shock garnered by the Snowden and Target news stories popular just a few years earlier.
If you felt Internet-savvy, maybe you changed a couple passwords (for the sites you can remember… who even keeps track of them all?). Or maybe you just let it sit, figuring that this event would make some big waves and then blow over, and that nobody’s interested in your barely-used Facebook profile password anyway.
But while it’s true that Heartbleed might not ever affect you personally, it’s important to understand what a breach of this magnitude entails.
Unlike the Target or Playstation data leaks, the Heartbleed bug isn’t an exploitation by some dedicated group looking for personal data, or an accidentally released swath of files that have been able to propagate the web. Rather, it’s an opening for any hacker-nobody who has the know-how to grab passwords, encryption keys, emails, messages, files, private data, anything, whenever they want, leaving absolutely no trace of the intrusion.
It doesn’t affect every server – specifically, only those that use the OpenSSL architecture are affected, which is the open source security structure that contains the bug. Many sites, like banks and other high security locations, don’t use it, so you may not have to worry about your financial accounts being silently violated (unless you share the same password for everything, but you’d never do something silly like that, right?).
But past the few exceptions, OpenSSL accounts for roughly 60% of every site out there. And the Heartbleed bug has been out for two years before being detected and patched. Yikes.
So, what is the bug, exactly? Some terribly complicated algorithm discovered by a genius MIT student? A secret backdoor introduced by the NSA to monitor your facebook ruminations? Not quite so dramatic – the actual problem was a parsing error, a bug in a section of validation code that monitored how much data a user was requesting.
By overdrawing data in the midst of the server requests, users would receive much, much more data than they had anticipated, and much of it unrelated to their own activity; unencrypted versions of other user’s private data, security measures, and files that were openly circulating before being stored to long term memory could all be seen and accessed.
The simplicity and low-level interaction of the problem were undoubtedly part of the reason it remained undetected for so long, and also why breaches could remain so untraceable – since intrusions were provided information freely and made no attempts at decrypting secure data, there were few cues for countermeasure software to catch on.
So, Heartbleed is indeed a big deal, and changing passwords is probably a good idea. But beyond that, what does the breach mean for the everyday user? One thing that can probably be expected is a huge influx of phishing and spam – since your email address is required by many sites as a login, it can just as easily be picked up via Heartbleed as a password or login, even if your actual email provider was not affected by the breach.
Having so many emails distributed around means you’re probably going to see a lot of fake Youtubes and Amazons requesting that you “urgently upgrade your credit card credentials for much increased security.” Another consequence is that private messages and confidential files may have been accessed.
Make sure that any user information that got passed in a vulnerable site gets changed pronto; again, even if the site that user information applied to was not affected by Heartbleed. When it comes to breaches as far reaching as this one, it’s typically best to assume that anything could have been accessed, and you’re better off safe than sorry.
But no matter where you lie on the reaction spectrum, try to keep things in perspective. Security expert Bruce Schneier referred to Heartbleed “on a scale of 1 to 10k this is an 11,” and all things considered, he might be right.
There’s not a lot to learn from Heartbleed, no long-term lessons or valuable takeaways, just a bad situation and a lot of vulnerability for everyone involved. But if you manage things smart, make sure your data is properly accounted for, and don’t click on sketchy emails, you could make it out okay. Stay safe, everyone.
Copeland is a member of the class of 2015.
