The Heartbleed bug is a serious open Secure Socket Layer vulnerability that came into the public picture earlier this April and has posed a threat to user’s online session data, privacy settings, and overall online security.
The Heartbleed bug abuses overly trusting servers and gains an overhaul of data, never intended for public availability.
According to wired.com, the National Security Administration had the potential to exploit this vulnerability for at least two years prior to vast public knowledge.
Tim Krause, an associate professor of computing and new media technologies at the University of Wisconsin-Stevens Point, theorized about why online users may only just be learning about this vulnerability.
“You get so inundated by the media that you have a hard time paying attention to what matters,” Krause said.
Heartbleed was given it’s name, because of it’s affect on open S.S.L. servers that have a “hearbeat” option. This option encompasses three parts: a request for knowledge, a short and random message and the number of characters in that message.
When Heartbleed types in a six character word, for example, the server will automatically send back another six character response. The effect snowballs into a hazardous discovery of sensitive data, because the server keeps sending more characters, breaching into deep, internal memory.
Krause explained that websites can protect their users by patching their software. Patching is a piece of software that is designed to improve, upgrade, support, or fix a computer program or its supporting data.
Google, Pinterest and Facebook are among a few of the big name websites that have taken initiative in patching and are now safe from the Heartbleed bug. Whereas these websites might have been vulnerable, had they not been patched, Amazon and the Bank of America are examples of websites that do not use open S.S.L. Users should not need to worry about sites like Amazon and Bank of America as a result, because the Heartbleed bug has only been known to affect open S.S.L. servers.
Krause explained that if websites do not use open S.S.L., they should be safe. He advises users who use websites with open S.S.L. to check website notices for updates about user security and the website’s patching.
“Heartbleed is the most widespread and severe bug we have seen,” Krause said.
Krause said it might be helpful for students to change their passwords more than once, the first time being when they find out about the bug and again when they know the website has been patched. He says it is best to use precaution.
Peter Zuge, information security officer at UWSP, said that students on campus should not fear for their UWSP accounts.
“We quickly patched everything. Our vendors supplied immediate patches for Pointer alerts,” Zuge said.
Zuge said that six of 250 UWSP websites were vulnerable and that those six were not frequently used by students or staff to begin with. He said that Information Technology is now working with other UW system campuses to scan and look out for other systems that may be vulnerable.
“On our campus, we’re pretty lucky, because we’re a Microsoft shop. Microsoft does not use open S.S.L.,” Zuge said.
As far as systems outside the UW bracket go, Zuge advises students otherwise. Similar to Krause, Zuge encourages students to follow their online institution’s advice.
“It is important that you go to the website, instead of clicking on links in e-mails you are sent, especially to avoid phishing. You are in complete control of changing your passwords, with or without the bug. Vigilance is key,” Zuge said.
Zuge says that it is hard for online users to know what sort of e-mails are legitimate. Even if the e-mail seems to be sent from a valid source, it can still pose a threat. Zuge said that even if you are prompted by a link to change your password, it is important that you ignore it and go straight to the website itself.
Zuge predicts that the Heartbleed bug will die down in a week or two.
When systems are attacked with the Heartbleed bug it is detectable so websites will be able to secure user information more noticeably. This bug is not hidden. It is present in 100’s of 1000’s of entries in an S.S.L. log file.
Though its presence in S.S.L. log files is projected to depreciate within coming weeks, it is important for online users to be aware of the bug’s presence overall. For these users, taking internet security seriously seems to be the biggest prerogative.