A bug in the OpenSSL called Heartbleed took the internet world by surprise last week! The reason, it questioned the so called tight security, service providers offer online for financial as well as other confidential transactions. OpenSSL is an open-source implementation of the SSL and TLS protocols. Secure Socket Layer (SSL) is an industry standard for making an encrypted link between two points, a web server and a browser.
An intruder can exploit this flaw to steal chunks of data from servers that previously considered secured with SSL/TLS encryption. The data thus steal can be anything important like bank passwords, Credit Card information, tax details etc. But it is still unclear, whether the bug has already been exploited by someone, some group or any government agency as it has been existing since the last two years. The threat scenario is more dangerous considering the fact that two-thirds of the web servers can be infiltrated during this period!
The bug has been identified individually by Google’s Neel Mehta and at the same time by a team led by David Chartier of Finland based security firm Codenomicon. The news made available to the public later on. But before that the findings of Codenomicon made available to CERT, the Finnish National Security Cyber Center. CERT passed the information to OpenSSL Project and urged them to provide an update and release it to the public.
So before the news spread, most of the popular websites and services made the patch and leaves no chance for hackers to use the bug. But latest information reveals that still there are lots of sites have the threat looming around without a patch. You can check whether a website is vulnerable to Heartbleed bug on Chrome using a simple plugin called Chromebleed. It alerts in the event of a bug found on any websites you open. But the threat is not limited to here on the web.
Your smartphone, printer router extra are also vulnerable. Apple says its OS is safe and BlackBerry is scheduled an update. But in the case of Android, the threat is there. In a security related blog article Google admitted that a version of Android is vulnerable to Heartbleed bug. It’s the Jelly Bean version, Android 4.1.1.
Though Google is committed to release a patch, it is understandable that it will take time. Because there are different carriers and customized Android versions. If you are worried about Heartbleed threat on your device, you can check and make sure that whether your Android OS and any apps are vulnerable to this big security threat the internet has ever seen.
There are two dedicated Android apps to find the Hearbleed bug presence. They are Heartbleed Detector from Look Out Mobile Security and Bluebox Heartbleed Scanner. While the former can use to find whether your device is vulnerable, the latter can scan your OS and Apps too.
We advise our readers to change the passwords of their online accounts immediately. But do check that the websites/services in question have already provided the security update and out of the threat from Heartbleed. Otherwise no use in change of password. You can check the site you are using is secure by going to McAfee security tool page.
It is unclear whether any security agencies in the world exploited the bug much earlier to steal critical information for intelligence purpose? No clue this time also like the earlier Stuxnet virus!