Heartbleed vulnerability threatens OpenSSL Library

The Heartbleed computer virus has Internet security experts panicked to save the personal information of their users. The virus’ discovery was credited to Neel Mehta from the Google Security team and Codenomicon, a Finnish cyber security company. The Heartbleed virus is considered one of the biggest breaches of security in recent years. Matthew Glavor, an IT consultant for Nettouch Consulting, said that the term Heartbleed comes from client/server communication known as Heartbeat. 

“The term ‘Heartbeat’ is used for when a user’s computer is asking the server if there is still a connection. Heartbleed is dangerous because they are accessing not only client/server communication, but server/client as well. The exploiters use this communication to access stored information that you usually want to keep secure, such as passwords or credit card information,” said Glavor. 

Normally a computer virus is a program that causes unintended actions on a user’s computer, usually with malicious intent. Generally, viruses (Malware) are distributed through email attachments, unpatched security flaws or downloads. After the virus makes its way onto a computer, Malware begins to access personal information that a user would normally keep confidential. 

The media has coined Heartbleed as a “virus,” but in actuality Heartbleed is a “vulnerability.” A vulnerability is a flaw in a program that an attacker uses to exploit weaknesses in software, such as a web browser or a PDF reader. The Heartbleed vulnerability is a flaw in the OpenSSL Library. A library is a set of instructions for a particular portion of a program. 

OpenSSL is a protocol that secures communication between a user’s computer and a server. The vulnerability in OpenSSL is threatening due to its widespread use. Andru Luvisi, an information security officer at Sonoma State University, said that Heartbleed is detrimental due to the large amount of programs that utilize the OpenSSL library. 

“Heartbleed is a high impact vulnerability because OpenSSL is used in a lot of software pieces. Some of these pieces are used in very popular web servers such as NGINX and Apache. [Heartbleed is] easy to exploit, requires little skill, leaves no evidence and is generally used on important traffic containing data that needs protecting,” said Luvisi.

While Heartbleed could have potentially been avoided, in more than 400,000 lines of code that make up OpenSSL, only about 30 of the lines pertaining to the exploit were improperly written. 

“The mistake is such a small part of OpenSSL, it’s like finding a single grammatical error in a 100-page essay,” said Luvisi. 

Security officials are working to integrate the patch used to block the information from being further compromised. 

Some of the major sites affected include Facebook, Instagram, Amazon, Reddit, Tumblr, Gmail, Yahoo, Netflix and Mojang AB, the creators of Mine Craft. Melissa Morel, the treasurer of the Women in Computer Science Club, said that being proactive is a good way to protect your information.

“In my opinion, to protect your information: Remember that no matter what, nothing is ever 100 percent secure. As we saw with the Heartbleed vulnerability, you need to protect yourself by changing your passwords regularly and being conscious of where you are connecting to the Internet,” said Morel.  “Also, make sure the passwords you are using are strong by avoiding dictionary words and numbers that may be related to you, such as a birth/graduation year or address. Conveniently, the more difficult it is for you to remember, the more secure it is.”

To further protect from the Heartbleed vulnerability, install browser extensions such a Foxbleed or Chromebleed for Firefox and Google Chrome web browsers, respectively. A browser extension is an add-on to a browser that increases functionality. 

For more information, ask the experts at the Sonoma State IT tesk located in Schultz 1000 or visit their website at www.sonoma.edu/it/helpdesk.