The State Bar of Texas Computer & Technology Section sent an alert to members Thursday warning about a threat to online security. The alert is posted below along with some helpful links to learn more.
The Computer & Technology Section has learned of a serious threat to security on the Internet.
What’s the problem?
The threat stems from a bug in a low-level software program used on servers. The nickname for this bug is “heartbleed.” The heartbleed bug is in a program known as “openssl” and affects thousands of servers on the Internet that conduct encrypted communications with devices such as smartphones, tablets, laptops, and desktops. This problem is independent of operating systems, and affects users of Windows, Apple OS X, Linux, Android, and iOS (to name a few). At this point, most IT administrators are likely fixing the bug on their servers. Even after the bug is fixed, it is still possible that the cryptographic keys that your smartphone/tablet/PC were using with an affected server are compromised and will need replacement. New keys on the server will have to be generated and certified, and that may take several days.
Why is this important?
Because the bug deals with encryption on the server side of the transaction. Hackers are already using the bug to “look at the cookies of the last person to visit an affected server, which can reveal personal information,” according to an article in the Guardian (link below). SSL is the technology underlying online shopping and banking, and this bug can also “cause servers to leak other information stored on the server which wouldn’t normally be available at all.” The implications are quite serious.
How do I know if I’m affected?
Servers on the Internet are affected. Your smartphone, tablet, or PC is not. You need to check to see if the websites that you use (e.g., Dropbox) is affected. A website has been set up to determine if your server is using the openssl program: Heartbleed Test. If you are worried that yahoo.com might be affected, input “yahoo.com:443” into the Heartbleed Test site. The “:443” is necessary because 443 is the standard “port number” for secure communications. Note, however, that that port number is set by the server administrators and may differ from 443. (You ought to give a little something to that website owner to help him recoup his costs for setting up this very valuable site.)
What should I do?
The best thing to do is determine if any of the servers that you use (such as your cloud provider or email server) are affected. Even if the website gives you an “all clear,” you probably should avoid using encrypted communications for a few days to enable the IT guys to implement new cryptographic keys. Cnet has an article about what you can do about it: How to Protect Yourself from the Heartbleed Bug.
Where can I learn more?
For a quick review of this problem, you would do well to read this article from the Guardian: Hundreds of Thousands of Servers at Risk Due to Heartbleed Bug.