April 22, 2014
Internet security flaw Heartbleed explained
Most of us are unlikely to give much thought to a small padlock icon at the start of a webpage address when we log into our email account, social media sites or online shopping.
That little padlock and a URL beginning with “https” signify that the page you are visiting and sending important personal data to is a secure and encrypted web page managed by Open Source software.
A bug in the latest version of that cryptography, discovered by Google security engineer Neel Mehta and by staff at a security firm called Codenomicon, revealed that hackers could steal information stored on a server, such as usernames, passwords, financial information and other personal data.
UOW Information Technology Services (ITS) Deputy Director Associate Professor Daniel Saffioti said IT security was extremely important to the University and it has been closely monitoring the issue since it was discovered.
"ITS conducted a review of its core systems and has concluded that UOW is not exposed to this. That said, as a precautionary measure we are recommending that staff and students consider changing UOW passwords as soon as it is practical."
Professor Willy Susilo, a cyber-security expert and a Director at UOW’s Centre for Computer and Information Security Research in the School of Computer Science and Software Engineering, explains what Heartbleed is and how you can protect yourself.
What is the Heartbleed bug?
Web administrators install a free, open source security technology the enables a secure and encrypted connection to transfer information over the Internet. This secure connection, particularly important for applications such as Internet banking, can be seen from the “padlock” shown at the bottom of the browser, as well as the word “https” appearing at the URL.
The software extension regularly sends “heartbeats” in the form of a small piece of data, to ensure the connection between servers or devices remains active and secure. The flaw in the heartbeat extension essentially “bleeds” important information from the server’s memory in small amounts. Through a Heartbleed attack, third parties steal important data and eavesdrop on communications.
Is Heartbleed a serious security issue?
The exchange of data in the “heartbeat” can be whatever happens to be on the server’s memory at the time the extension is active. This could be usernames, passwords, access tokens or a host of personal data. Heartbeats are not logged and therefore an attack leaves no trace.
Cryptography keys used to verify a site’s security are also often stored in system memory. If these are stolen a hacker could mimic a secure site and trick your computer into thinking it has a secure connection when really it’s connected to a third-party who can intercept and steal communications.
This security bug has affected more than two-thirds of websites worldwide and is therefore considered very serious; perhaps the biggest Internet security threat to date. Bruce Schneier, the CTO of CO3Systems and a security analyst, said that “on a scale of one to 10, it is an 11”.
What has been affected?
Major large Internet websites have been affected, including Yahoo.com, Yahoo Mail, adf.ly, Facebook, Tumblr, Google, Gmail and Dropbox. Heartbleed impacted many consumers through Internet Banking or online retail sites. Reputable Australian chains such as Coles MasterCard, Myers Visa Card and GE Money were also affected.
What about mobile devices?
Apple devices running iOS and Windows phones are not susceptible to this threat. Google reported that users should update the software on their Android devices.
How to fix this issue?
There is nothing you can do to fix the problem yourself other then contact your service provider, such as your bank, and see if they are vulnerable to the issue. You can use a web-based Heartbleed test to determine whether a site you regularly use is vulnerable or not. The owner or administrator of the web service needs to install a fixed version of the software.
What should a regular user do?
It is strongly recommended that people change their passwords. To date, majority of the websites have fixed the problem and are no longer vulnerable. Regardless, eavesdroppers may have already captured a users’ password and so users should change their passwords as a precaution.
More: heartbleed.com
UOW staff can find more information about Internet security at the ITS Cyber Security page.