The Heartbleed bug
This is an overview to help you understand the implications and impacts of the discovery of the Heartbleed bug (April 2014) which was found in a widely used security service. Here we summarise the known facts and offer some advice as to what action you may want to take to reduce any negative impacts.
What is it and what does it do?
It’s a bug (fault) in a widely used piece of encryption software called Open SSL. Open SSL is commonly used to provide secure connections between individuals and websites they use, particularly where sensitive information is likely to be shared like online shops, banks and email providers, so that information transmitted can only be read and understood by them. The secure padlock in the top left-hand corner indicates that the site you are on is using OpenSSL or a similar product.
The bug potentially allows hackers, cybercriminals or online snoopers to eavesdrop on your sensitive communications. This means that passwords and other secure information have been visible and could have been intercepted by these people and stolen. The nature of the bug makes it difficult to identify if a system has been compromised so the default position is to assume it has.
It's been around since 2012 but only identified and widely publicised this week - it is believed to affect around 500,000 websites around the world.
Who has been affected?
Considering the numbers of websites affected, the implications are that every one of us will have been touched by this. The suggestion is that at least one website for every person was vulnerable. Notable 'victims' include Google, Facebook, and Yahoo. Durham along with some other Universities have been affected.
Since the discovery of the bug many websites have checked for the fault and where it's been identified, applied the fix. In addition they have replaced the security certification that verifies their sites are secure. New reports indicate that most of the large sites have completed this and we have done this too. Other sites, particularly smaller ones, should be working on that but may be a little slower to address the issue than the large corporations.
What do I need to do?
Try to avoid going on websites where you will be transmitting information (passwords, email addresses, bank and contact details) unless you can confirm they have taken the action described above. Most reputable sites have done this, some are still catching up.
Change your passwords - but bear in mind that the timing of this is important. If you do it before the site has fixed the issue and re-issued their security certification you are likely to be more vulnerable as the information is still accessible and as the issue has been more widely publicised, more people may be trying to 'benefit' from it.
Don't use the same password for multiple sites. You must have unique passwords for any banking or retail sites and well as at least one secure email address. If you use common passwords it increases the damage that can be done if your password is stolen. Make sure that you don’t use your University password for any other sites.
Be vigilant for phishing emails. Due to the publicity there is an increased risk that criminals will use this to send phishing emails to try and get your sensitive data (e.g. passwords, log-in credentials) by requesting that you change your password via a bogus link. They are likely to claim to be from a reputable company (e.g. PayPal, Facebook) . Only visit reputable sites, using links that you type in manually.
Useful sources of information
Please be aware that these are external sites, which the University has no control over.
http://www.bbc.co.uk/news/technology-26969629 (BBC news article)
https://www.getsafeonline.org/news/web-users-alerted-to-potential-mass-privacy-problem/ (Get Safe Online - government website)
http://heartbleed.com/ (technical overview)
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-Tw-main-link (progress of large organisations who have fixed the Heartbleed bug)