'Heartbleed bug' sends shockwaves through the Internet

KINGMAN - A major bug in a popular Internet security protocol was disclosed publicly last Monday, revealing that nearly 66 percent of the Web is at risk and could have been leaking sensitive data over the past few years.

The software vulnerability, now commonly referred to as "The Heartbleed Bug," originated from a cryptographic software library known as OpenSSL. OpenSSL is an open-source project designed to encrypt user information between users and websites such as passwords and credit card information.

OpenSSL is utilized in some fashion by up to two-thirds of the web, including companies such as Google and Yahoo.

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of OpenSSL software," state an information website created by Codenomicon. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.

"This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

Heartbleed originated from a broken piece of code in OpenSSL that was written in 2011 and widely distributed in 2012.

At this time, it is not known how long ago the bug was discovered or how much information has been exploited using this bug. A team at Codenomicon and Neel Mehta of Google Security both discovered the bug independently and reported the bug to the OpenSSL team in late March.

OpenSSL issued a patch before the announcement on April 7 and companies have been implementing the patch since then.

Because of how widely OpenSSL is used, it could take weeks or months to patch Heartbleed. Not all websites may be patched either, as any website using OpenSSL after 2011 could be vulnerable.

Heartbleed is not limited to websites. Google's Android OS 4.1.1 JellyBean also utilizes the vulnerable OpenSSL.

According to Google, less than 10 percent of the 1.1 billion devices running Android use the vulnerable system. Any information on those vulnerable phones is compromised.

• Who is directly affected?

Facebook, Google, Yahoo, Dropbox and Netflix are among the bigger sites affected. Sites affiliated with them, such as Flickr (Yahoo) and YouTube (Google) were also affected. Many of these sites have come forward and notified users that their sites have been compromised and have prompted users on what to do next.

• Who is not directly affected?

Most shopping sites like Amazon, Paypal, eBay and Target have not been affected. Many shopping sites do not utilize OpenSSL. Most government websites, including HealthCare.gov and the IRS, were not affected.

Nearly every banking website utilizes its own form of encryption and therefore are not directly vulnerable to the Heartbleed bug.

• What is compromised?

Passwords in particular are compromised, although anything transmitted securely using OpenSSL could be leaked. This includes credit card numbers, contact information, Social Security Numbers, and messages or communications.

This information can be stolen and used to exploit sites unaffected by Heartbleed, such as banking websites.

• What can you do to protect yourself?

Take into account all your web activity and check with the websites or services to see if your information was vulnerable.

Changing your passwords across all your accounts is recommended, although you should wait until patches are in place. Any password changes made before websites are patched will still be vulnerable. Check with the websites and wait for them to confirm that it is safe to change your password.

Remember that a good password includes a combination of a capital letter, a number and a symbol.

Also ensure that you have a variation of passwords across your accounts. Using the same password everywhere makes your information much more susceptible to theft.

Look into using two-step verification when available.

Do not respond to emails or phone numbers that you do not recognize. This could be a phishing attempt to acquire personal information needed to access your accounts.

Finally, watch your sensitive data, such as bank accounts, carefully.

Catching suspicious activity early and reporting it will greatly increase the chances of recovery.