Heartbleed and IBM
JonTate 110000B0RP Visits (10174)
I think that this Heartbleed bug is going to be an observational comedian's dream. Well I guess one that is a bit of an IT geek anyway. Not quite sure what the Pub Landlord will make of it, but I am sure that he will have some kind of an opinion. Probably not fit to print.
Anyway, on to the serious stuff. I thought that as there is a lot of confusion as to what it is, what should you do, where should I go in IBM to find out more, that I would throw something together that gives a little bit of background to it (that may or may not be of interest to you) but more importantly a link to the official IBM rout
First, IBM's official, publicly viewable response for Heartbleed is available here:
Secondly, for all security advisory bulletins and statements, go here:
I reckon the former should be your first point of call.
However, in our effort to serve you better, we recommend that you subscribe to the RSS feed for notification of future IBM Security Bulletins and advisories posted on the blog.The short URL for this blog is:
Right, what is Heartbleed anyway?
There is a piece of open source software called OpenSSL and the purpose of this is to encrypt communications between an end user's computer and a web server. A sort of masonic secret handshake at the beginning of what you hope is going to be a secure conversation. Heartbleed is a vulnerability in the form of a bug that exploits this weakness and allows information that is normally protected to be stolen.
Why is it called Heartbleed?
Once upon a time there was, well still is, an extension to SSL which was called Heartbeat. Heartbleed is so named because it affects the Heartbeat extension. You can't beat IT humour!
Well, OpenSSL is one of the most prevalent encryption tools on the internet, with estimates putting a figure of two-thirds of websites using it. Have you ever noticed the little padlock symbol in your browser? Then it is likely that you are using SSL. Half a million sites are thought to have been affected. That's "so what?".
How can hackers exploit this?
From Heartbleed.com: "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
I think that "anyone on the internet" is probably a little bit of scaremongering, you have to have some pretty specialised knowledge to be able to do that.
Should I change my passwords?
Well, opinions differ on this for sure. There is a school of thought that says it is prudent to do so now. Some say do not do it now, but wait until the problem has been fixed, and then change them. I think, which means that this is my personal opinion and does not necessarily represent the views of my employer, that for credit cards and other sensitive websites, I would change them now, then change them again when the all clear is sounded. In fact I have changed the ones that deal with "money", and I am keeping an eagle eye on them at the moment just in case. Makes me feel better.
What sites are affected?
Well, the Google might be able to provide a list of the sites that are affected and is likely to be the first port of call for most users to see what he/she/it says. But there are some popular ones that people are turning to including:
Again, these are ones that represent my personal opinion as worth a look and not necessarily those of my employer.
Is the world going to stop spinning and can we blame the bankers for this too?
No, and no. Certainly it is inconvenient and one of the more irritating aspects of this is that no-one can really tell if something has/hasn't been hacked and cannot be traced. Rumours on all sorts of forums suggest that "state-sponsored hacking" started as soon as news of this bug surfaced, and that hacker groups are starting to target websites for financial gain. And in some well publicised cases for "amusement". Although I have never visited "Mumsnet", I am told that it was targeted. This is what they had to say about it (I haven't read it all but as it is Mumsnet I am assuming that it is safe for work so have not marked it NSFW, if in any doubt don't go there!).
When and how will it be fixed?
All sites that are affected are scrambling to fix their code and close any loopholes. They might force a reset of all passwords. Funnily enough, when I logged into my Chase account I was forced to change my password but there was no official statement that I saw at the time to say it was due to Heartbleed. So, what needs to happen is that the owners of the services need to patch the code to remove the vulnerability, revoke the compromised keys, and reissue new keys. This does not fix any traffic that has already been intercepted. Once the service owners have fixed the code and keys, then it is definitely time for a password change.