What is it?
It’s been dominating the media almost non-stop. Everywhere you look you see that same graphic – the bleeding heart.
Heartbleed – two weeks ago none of us had heard of it. Now it’s threatening our very identity in the world wide web and beyond.
At its core, the Heartbleed bug lets hackers steal personal information. Credit card numbers, passwords; over 900 Social Insurance Numbers were snatched right out of the Canadian Revenue Agency. Some of the sites that have been compromised by this bug are:
The full list can be found here.
The Police have made an arrest in the case of the missing SIN cards. Stephen Arthuro Solis-Reyes, 19, of London, Ont has been charged. You can read that full story HERE.
Despite this, the damage has already been done.
Heartbleed has the potential to be one of the biggest, most widespread vulnerabilities in the history of the modern web.
How does it work?
Why are we vulnerable?
The heart of Heartbleed revolves around encryption. On the internet, everything is encrypted to make sure the information that is sent from one computer to another (or another web server) is protected and secure.
Think of it like a secret language.
If someone tries to steal or ‘listen in’ on this information, all they will get is gibberish. The only people who can understand the information is the person (computer) sending it, and the person (computer) receiving it.
Both of these computers sending and receiving have the ‘translation guides’ for these languages. These guides are locked up in a set of protocols called SSL.
The Heartbleed bug affects this secret language. Hackers now can get those translations guides, allowing them to understand the data without website owners or users knowing any information theft had occurred.
This ‘translation of data’ leaks out in 64 Kilobytes of memory at a time, an indefinite amount of times.
Think of it like Heartbeats of Data – personal information bleeding out one 64 Kilobyte beat at a time. Hence the name – Heartbleed.
HOW DID THIS HAPPEN?
It is difficult not to place the blame on the OpenSSL Software Foundation, and the developers who maintain this code. There are only four staffers to maintain these digital libraries, and of those four only one of them is fulltime.
The man who made the coding mistake that let Heartbleed work is Robin Seggelmann. He said the bug was missed by him, and a single quality control checker when it was introduced into the OpenSSL protocol two years ago. Dr. Seggelmann says the error was quite trivial, but the impact was severe.
What was taken?
OpenSSL runs 66% of the internet. Even if you don’t use it, the odds are that you interact with it several times a day. Heartbleed exploits OpenSSL at its core. If it uses OpenSSL, it’s vulnerable.
Although Heartbleed has been patched now and the leak plugged, it has been around since December 2011. Lots of companies started using this vulnerable code in May of 2012. This leak has been around for two years – there is no telling what information has been stolen in that time.
What we do know is that approximately 900 Canadians had their social insurance numbers (SINS) “removed” from the Canada Revenue Agency’s (CRA) website in just a 6 hour time frame. It was bad enough that the CRA extended the deadline for filing taxes until May 5.
Why are SINS so bad to take?
Of all the ways to experience identity theft, the loss of a SIN is among the more serious,
According to Canada’s privacy commissioner, someone may be able to use your SIN to apply for a credit card or open a bank account, rent vehicles, equipment, or accommodation in your name – leaving YOU responsible for the bills, charges, bad cheques and taxes.
Here are some safety tips for keeping your identity safe:
- Don’t ever give out your SIN to anyone but government or a bank. The government has a complete list of all government departments authorized to collect social insurance numbers. It can be found here.
- Change passwords. Often
- Monitor your credit activity.
The Canada Revenue Agency is contacting all 900 people whose social insurance numbers were lifted from their site. These messages are coming through registered mail and they contain instructions on what to do next.
The CRA also reminds people that the tax department never contacts them via email or phone. Any attempt to do so should be ignored and is likely a scam.
Has everything that happened so far just the beginning? Alberta computer security expert John Zabiuk thinks so, and suspects there are a wave of problems coming.
Although a patch is now out.The problem is applying the patch to all of the hundreds or thousands of servers that may have been affected. That is going to take time.