Vancouver: News broke this past week of a wide-reaching security vulnerability known as the Heartbleed bug. But what is it? A virus that will affect your computer system or a computer bug that that will affect the majority of the web to securely send data? The good news is that it is not a virus. The bad news is that could be worse than that.
Heartbleed affects OpenSSL which is a computer program used by a majority of the Web to encrypt communication so that they can trust each other and securely send data. It is not a virus that will sit on your computer and infect your machine – so don’t fall victim to folks (bad guys) trying to sell you protection somethings for your computer. You would be better off taking a drink of water and saying calm.
Heartbleed is not new. In fact it happened a couple of years ago when a version of OpenSSL containing a small error (a bug) was released to the world. The bug created a secret back door to supposedly secure Websites that became a key for hackers to exploit. Security experts are saying that Heartbleed is worse than any other virus, glitch, or bug of the Internet age. The Canadian Revenue Agency shut down its site when the news of Heartbleed first broke so that they could assess the vulnerability of their sites. They reported last Saturday that all federal departments affected by the shutdown will resume e-services over the weekend. In a related news release from CRA, “The Minister of National Revenue has confirmed that interest and penalties will not be applied to individual tax payers filing their 2013 tax returns after April 30th, 2014 for a period of time equal to the length if this service interruption”. Hey – thanks good news, Eh? Maybe. Now that we know that Canadian taxpayer data has been compromised, the fallout from the Heartbleed bug is not going away anytime soon.
Anyone who does anything on the Internet has likely been affected. According to a report from Symantec “losses due to cyber-crime have been on the rise for years in Canada, topping $3-billion in 2013, up from $1.4-billion the previous year”. The Heartbleed bug compromises the secret keys used by Websites to identify and trust each other, allowing hackers access to the names and passwords of users that will allow them to steal data directly from those users and to impersonate services and users. Security researchers are saying that it is more than likely there will be a significant increase in phishing and scam attacks.
Should we be concerned? – Yes! The Heartbleed bug has reportedly put millions of passwords, credit card numbers, some SIN numbers and other private online data at risk.
Can we do anything to protect ourselves? – Yes! Here are six simple things you can do;
Change and strengthen your passwords on all the sites you regularly visit, including social media sites, email, banking, etc.
As always be sure that you know where you are when surfing the web.
Never download software you don’t want. The bad guys make this easy, so watch out.
Be wary of any unsolicited email regarding personal information, or unfamiliar logon invitations to sites, however official they may appear.
Safely ignore the folks (bad guys) trying to sell you Heartbleed protection services or applications for your computer.
Review your financial information regularly and report any suspicious activity to your financial institution. Remember that a bank will NEVER solicit you logon and do something (check balances, update account information, etc.).
900 SIN numbers compromised in the aftermath of Heartbleed attack
19 year old Heartbleed Bug Hacker charged by RCMP
The Heartbleed bug affects any device using OpenSSL and the only way to fix the problem is to upgrade the device to the corrected version of the program. This is easier said than done – the number of devices that are potentially affected is huge and it is going to take time to get this done. For this reason you can easily verify the status of any site you visit with this tool: http://filippo.io/Heartbleed. Once on the Website, enter the domain name you want to check and it will tell you if the site is Bug free or not. But what it can’t tell you is if the site has ever had the bug.
Bob Milliken is the President of Cascadia Systems Group.