Recently, the security vulnerability CVE-2014-0160 was discovered, nicknamed Heartbleed. Because of several inquiries we decided to answer some Frequently Asked Questions:
What is Heartbleed?
Heartbleed, or CVE-2014-0160, is a security vulnerability which allows an attacker access to private data stored on servers which run certain versions of OpenSSL. This means that your sensitive data – usernames, passwords, and even credit card information – could be at risk. The bug can allow a hacker to pull data directly from the server’s working memory. Although the attacker has no way of knowing if any of the data they grab is useable, since they can exploit Heartbleed over and over there is a high chance that they will eventually get the sensitive data they are looking for.
What is OpenSSL?
OpenSSL is an open-source encryption technology which is very widely used across the World Wide Web. Encryption is a process of encoding information in such a way that only the authorized parties can read it.
How long has Heartbleed been around?
This security vulnerability was first introduced into the OpenSSL software in March 2012, but was only recently discovered by security companies. It is unknown whether or not hackers had exploited CVE-2014-0160 before it was made public.
What can I do to protect myself? Can SUPERAntiSpyware protect me?
Your first instinct may be to change all your passwords. This is definitely a good idea, but first you should contact the Web site operator to ensure that the Heartbleed bug has been patched. If the site has not yet fixed the bug, changing your password would be futile since an attacker could just exploit the breach again and steal your new password.
If you are unable to contact the Web site operator, there are ways to tell if a particular site is vulnerable. LastPass and Qualys have created tools which will give you information about whether or not a site has been affected by Heartbleed. Also, CNET has compiled a list of the top 100 Web sites and whether or not the Heartbleed bug has been patched.
Because Heartbleed is a security flaw and not any type of malware (virus, worm, Trojan horse, etc…), anti-malware programs such as SUPERAntiSpyware cannot protect your information. That ability lies solely with the operator of the Web site.
How do I know if my information has been stolen?
Unfortunately, exploiting this vulnerability does not leave traces of any abnormal activities, and therefore there is no way to know if your information has been stolen.
I use online banking – is my bank account at risk?
Most major banks do not use OpenSSL and use their own proprietary encryption software. That being said, if you do any of your banking online it would be a good idea to change your password and contact the bank directly to confirm that their site is secure. It would also be prudent to keep an eye out for anomalous charges on your financial statements. Until you are completely sure that your banking Web site is secure, it would be advisable to avoid doing any online banking.
I did my taxes online – is my tax information safe?
A recent post by the IRS stated that their systems are not affected by the Heartbleed bug and they will continue to accept tax returns as normal.
If you have any questions related to Heartbleed, feel free to share them with us on our Facebook® Page or simply leave a comment below.