NewsApril 15, 2014

Called "serious," "chaos" and "catastrophic," the "Heartbleed" bug doesn't seem to be causing too much of a local panic. The computer bug recently prompted dozens of websites to patch their vulnerability to potential attackers after its existence was publicly acknowledged April 7. However, the security flaw has existed since December 2011...

Called "serious," "chaos" and "catastrophic," the "Heartbleed" bug doesn't seem to be causing too much of a local panic.

The computer bug recently prompted dozens of websites to patch their vulnerability to potential attackers after its existence was publicly acknowledged April 7. However, the security flaw has existed since December 2011.

Caitlin Schlichting, web developer and online marketing administrator for The Bank of Missouri, said Heartbleed can affect anyone using vulnerable versions of OpenSSL software, whether it is through a bank or another kind of business.

The Bank of Missouri has taken steps to ensure customers' information is not vulnerable to the bug, and necessary system upgrades and patches were performed last week.

"It certainly is something that we've been working towards making sure that it's not a concern for us," she said.

It's scary to think that something people feel they can rely on, such as a secure website, turns out to be something they can't, she said.

The flaw was found in OpenSSL, an encryption technology some websites use to protect private data such as emails, passwords or credit card numbers. A website that displays a green browser bar and uses "https" before its web address, identifying it as a secure network, is a Secure Sockets Layer [SSL]/Transport Layer Security [TLS], of which OpenSSL is a popular variant.

"OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, [the] site you install software from or even sites run by your government might be using vulnerable OpenSSL," according to heartbleed.com.

Heartbleed is a leak in the system that allows anyone to read the memory of servers running vulnerable versions of OpenSSL software, compromising secret keys used to identify service providers and to encrypt traffic, as well as the names and passwords of users and content, according to the website.

"This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users," the website says.

What makes matters worse -- the hacks are nearly untraceable, and have been for more than two years.

Cape Girardeau website developer Element 74 released a blog statement regarding Heartbleed on Friday, saying their customers have nothing to worry about.

Receive Daily Headlines FREESign up today!

"Element 74 does not utilize the OpenSSL libraries in any way," said vice president and chief technology officer Chris Behnken in the release. "Our software and server technologies are based on Microsoft products, and we exclusively use Microsoft Internet Information Server to host our websites, including any sites utilizing Secure Sockets Layer."

Dana Hukel, president and owner of Bold Marketing in Cape Girardeau, said the firm has not encountered any alerts or spam involving online tools for its clients that cause worry about Heartbleed, and none of their websites has been affected.

If a person is concerned about online security, it only takes seconds to change a password, Hukel said.

Experts advise against individuals changing their usernames and passwords for specific websites until the sites have confirmed they've patched the security hole. Otherwise, an attacker can steal a person's most recent credentials and use them to compromise their account.

If the "back-end" of the server is not patched, "it doesn't matter how much, how many times you've changed your password, it's still vulnerable," said Dr. Vijay Anand, assistant professor of industrial and engineering technology at Southeast Missouri State University.

Websites that reportedly have patched their vulnerability to hackers are Facebook, Google, Yahoo!, Pinterest, YouTube and Amazon, among others.

It was reported Monday that researchers have been able to demonstrate a server's private encryption key can be taken using the Heartbleed bug.

"I don't think they understand the full breadth of [Heartbleed's] impact, yet," Hukel said.

The latest, fixed version of OpenSSL has been released and is now being deployed, according to heartbleed.com.

ashedd@semissourian.com

388-3632

Pertinent address:

Story Tags

Connect with the Southeast Missourian Newsroom:

For corrections to this story or other insights for the editor, click here. To submit a letter to the editor, click here. To learn about the Southeast Missourian’s AI Policy, click here.

Advertisement
Receive Daily Headlines FREESign up today!