I suspect you have heard of the Heartbleed (or “Heart Bleed”) bug on “the entire Internet” along with predictions of doom for all of us who use the Internet. Heartbleed is an indication that each new crop of programmers apparently have to make the same set of mistakes instead of learning from the past 60 years of the programming art, and an indication that many companies, especially the new social media companies, are fixed on rushing into new project and really do not care about the security of their customers’ data.
Heartbleed is a bug, not an engineered virus or some other form of malware. It is a good example of very bad programming. This was not caused by malevolent people or governments, but by incompetence. The malevolent people, however, were eager to take advantage of it.
Decades ago I went to UC Berkeley to work on a Ph.D. in Computer Science. Most students in the program had gone right from high school to Berkeley and worked straight through their BS, MS and were now working on their doctorate. I was the exception: I had spent the prior half dozen years actually working in the real world. One young man in particular was absolutely brilliant – straight 4.0 average from his freshman year, and excellent at translating a real problem into a software solution. He came to me one day with his latest triumph: the user interface module to a new operating system. He asked me to type in “TI”. I typed in “3#”. The whole OS crashed. He got a long hang-dog face and asked, “Why did you do that?” My answer was that I was a dumb user and could not be trusted.
The Heartbleed bug is exactly that. The program fails to check the data received, and will willingly send thousands or more characters of information currently in the computer’s memory. The particular transaction is called a “heartbeat” – a simple way for one computer to determine if another is still alive and connected. This transaction is usually associated with servers, computers that deal with lots of transactions from many different users, including sign-on’s. Thus the information that the bug sends can contain user names and passwords, bank account numbers, or anything.
In good practice, this kind of bug gets caught in design reviews or code reviews. A bunch of programmers get together and inspect what someone is planning on doing or the code they have written. The guilty programmer gets embarrassed, learns a lesson, and fixes the problem. No harm done. Obviously, those reviews never happened.
Instead, the faulty code was released as a beta version of OpenSSL. SSL is the security code used to establish secure connections between your computer and some other computer on the Internet. You know you are secure if you see https:// in front of the URL or you see the little padlock in front of the URL. SSL has been around since 1996 and is the backbone for secure Internet connections. OpenSSL is an open source implementation, meaning that companies can use the product without paying a license fee. A beta release usually means that the software is feature complete, but may not be bug free. The basic rule of a beta release is do not put it into production. It may have bugs, it may be unstable, or it may not work under some conditions.
In this case, many companies took that beta release of OpenSSL and put it into production, thus exposing their customers to a huge security problem. In my view, any company that put this beta release of OpenSSL into production was grossly negligent and should be responsible for the financial results of such an irresponsible action.
If a company did not install the buggy beta, then their customers were not exposed. If a company installed the buggy beta, and then later fixed the problem, they are now secure. But if you connected to their server while the buggy beta was installed, your data was in danger. Unlike many malware attacks, it is virtually impossible to determine what data was sent out and therefore which customers were potentially compromised. If you connected to a server running this beta version of OpenSSL you should assume you were compromised.
There are several lists of which companies potentially compromised your data. Some popular companies that installed the buggy beta and might therefore have exposed your information:
- Amazon Web Services
- Google (Gmail, YouTube, Wallet, Play, and potentially Google Plus, Google docs and Google-hosted web sites were all at risk for some period at time)
- Healthcare.gov (surprise!)
- WordPress (as a blogger, not a reader)
- Yahoo & Yahoo email
A few of the many companies who did not install the buggy beta, and therefore did not expose you to this danger:
- Amazon.com (the “buy something” site)
- AOL email
- Intuit (including TurboTax)
- IRS (and as far as I can tell all other US government sites, except Healthcare.gov)
- Almost all financial companies (American Express, Bank of America, Chase, E*Trade, Fidelity, and many more)
If you really want to understand how the Heartbleed bug works, check out this YouTube.
The last word:
What should you do?
- Check the companies you sign-in to. If they say they “fixed the problem” they should go on your danger list. Only if they never installed the buggy beta are you safe with them.
- If you have sign-ins to any of the companies that might have compromised your data, change your password immediately.
- If you use the same password at other sites, change it there also. Once a cyber-criminal gets one of your passwords, he is likely to try that password at other sites.
- Continue to monitor your financial status.
Check out your own company: did you expose any of your customer’s data to this bug? Ask your IT director or CIO if the buggy beta was ever placed in production. If so, I would suggest firing the responsible manager and making sure your IT group does not ever put beta versions of anything into production. Also check out any partners, including your Cloud Service Provider, to make sure that they did not expose your customers to harm.
Then proactively apologize to your customers, indicating the date range when your company exposed them and strongly recommend they immediately change their passwords to your site. Taking the initiative here will, at least, earn good will.
Keep your sense of humor.