Heartbleed computer bug shouldn't be dismissed

You may need to change passwords.

The Heartbleed bug is being called one of the biggest security threats the Internet has ever seen. It could lead to private information, such as passwords, credit card numbers, e-mails, instant messages and more being exposed.

If your heart skipped a beat when you heard about the latest major online security threat, a bug called Heartbleed, calm down. It's not worth having a heart attack over.

But you can't dismiss Heartbleed, either. You likely will have to change some account passwords to protect yourself.

"It's safe to say this is the most serious security vulnerability that's ever been on the Internet," said Daniel Lopresti, professor and chairman of the computer science and engineering department at Lehigh University.

That said, there haven't been tons of confirmed breaches, as exposed websites have been plugging the hole. But the true impact of Heartbleed likely won't be known for some time, which is why you need to stay aware.

If you're not into technology, you may have heard about Heartbleed but not know much about it. Here's the layman's version.

It is a flaw in an encryption software called OpenSSL that is used by some websites and computer hardware to secure information. The flaw was caused by an error in one line of computer code written about two years ago.

"It's like an enormous building fell over because there's one little screw broken," Lopresti said.

Someone can exploit the flaw and repeatedly dip into information stored on unprotected servers by manipulating the connection that keeps two computers in communication. The connection is known as the heartbeat, hence the name Heartbleed.

"It's kind of like panning for gold," Lopresti told me. "You pick up a lot of dirt, and every once in a while there's some gold in there."

What's scary, he said, is hackers don't have to be sophisticated to exploit the flaw, which can expose what are considered a website's crown jewels, the encryption keys that protect online communication.

"In a compromised system, every single thing you wouldn't want exposed is potentially wide open," Lopresti said.

The problem was announced publicly last week. If you're looking for a more technical explanation, go to http://heartbleed.com.

The first accounts of breaches attributed to Heartbleed came this week. The Canada Revenue Agency said the personal information of about 900 taxpayers was stolen. A British parenting magazine also has confirmed that its systems were compromised.

While it's important that you be aware of what is going on, you can only do so much about Heartbleed. We're at the mercy of the technology world to make sure websites are secure. All we can do is change our passwords and hope for the best. And monitor our accounts for trouble in case any of our information bled out.

The tricky part is determining whether the websites we use were vulnerable, and if they've been fixed. The same goes for the hardware we use to connect our computers to cyberspace.

Computer experts say that once you know an affected website has been fixed, you should change your password. If you don't, hackers who may have stolen your password while the hole was open still could access your account.

You're probably most concerned about your online banking and other financial transactions. So is the Federal Deposit Insurance Corp., which last week issued an alert saying it "expects financial institutions to upgrade vulnerable systems as soon as possible."

But the American Bankers Association told me that banks shouldn't be vulnerable.

Doug Johnson, vice president of risk management policy, said even if banks were using the flawed version of the technology, they have other protections in place that go beyond what other websites such as retailers typically use.

I checked with a few banks such as Wells Fargo, Bank of America and Santander. They told me their systems were not exposed and customers were not affected.





Look for this special section in your
Baltimore Sun newspaper on Dec. 29, 2013.
  • Twitter
  • Facebook
  • Instagram
  • Google Plus
  • RSS Feeds
  • Mobile Alerts and Apps