What the “Heartbleed” Security Bug Means

It’s a very painful occasion when our heart bleeds. Does it occurs only to Humans. Millions of websites are already facing the prospect of data leak because of Heartbleed, if they haven’t leaked out information already. It is assumed that it  have been in existence for two years, but found out only recently.

What is the Heartbleed bug?

Heartbleed is a major security flaw that if exploited, will cause a web server to reveal user content. It’s a bug that affected hundreds of millions of websites, exposing usernames, passwords, encryption keys, and other sensitive data. The main reason why this security flaw gained so much attention is because it’s a vulnerability that occurred in OpenSSL, an open source software, used across the globe to encrypt communications happening over the Internet. It was an abrupt but necessary reminder that when it comes to the Internet, nothing is safe.  Sites like Mashable, have compiled a list of popular sites that could have been compromised by this vulnerability.

“In the wake of the HeartBleed vulnerability, many organizations and hosting providers have lulled themselves into a false sense of security by relying on Intrusion Detection Systems (IDS) to automatically deal with HeartBleed attacks,” Halon Security CEO Jonas Falck said recently. “IDS systems were designed to sniff out vulnerabilities, but closed source development teams take too long to respond and patch issues like HeartBleed.”

He continued, “The Open Source community has received a bad rap for the OpenSSL exposure, but the community has rallied together to patch the issue quickly. If anything, the HeartBleed issue has shown how reliant the Internet as a whole is on Open Source, so if corporations can give back to the Open Source community after taking advantage of OpenSSL or so long, there will be more eye balls spotting vulnerabilities earlier in the future.”

According to Falck, “the Internet will never be 100% safe” from hackers and vulnerabilities like Heartbleed. With the right strategies, however, security companies can take steps to protect businesses and consumers more thoroughly.

Many prominent websites have already released fixes for the exposure and several more are in the process of fixing it. But the actual problem lies in the fact that it’s not enough for these sites to simply fix their servers.

How to protect yourself/your servers from Heartbleed ?

If you’re a server admin: The Heartbleed bug has been patched in version 1.0.1g of OpenSSL. If the updated package isn’t available for your distro yet, the compile-time option of -DOPENSSL_NO_HEARTBEATS will also mitigate against the bug.

If you’re a web surfer: The users should update their passwords and login information immediately for the handful of sites that really matter to you or risk cyber criminals still accessing their data, as these hackers now know the digital keys used by the server to authenticate user requests.

• Avoid using the same password at two sites that matter to you. This lowers the security level of any site with that password to the level of the sleaziest and least-secure site where you’ve ever used it.
• Try using a password manager, which will generate an unlimited set of unique, “difficult” passwords and remember them for you.
• Use the two-step sign-in processes for every system that allows them, for eg. Gmail.

Do you own a website ? Do you want to know if your site is susceptible to Heartbleed vulnerability. Use this tool : https://filippo.io/Heartbleed/  Usually our engineers use this tool to cross check the sites that  we’re working on.

The Heartbleed bug will cause ripples for years to come — and in the short term, possibly a tsunami of high-profile hacks as well, unless big websites move very quickly indeed.  Heartbleed has created a massive uproar in the cyber world for legitimate reasons.  Please make sure to follow always the latest security guidelines in your applications and try to ensure protection from all such vulnerabilities.