by Craig Masters
A computer bug named Heartbleed is working its way into the heart of tens of thousands of internet servers in what is described as the most significant internet virus yet. The Wall Street Journal estimated that as many as two-thirds of the world’s internet servers could be affected.
HEARTBLEED is described in PC Magazine as, “…one of the most severe vulnerabilities to endanger encrypted SSL communications in recent years.”
The unique danger of this bug is not the damage it does by itself, but that by working its way into the heart of the servers and rendering them vulnerable, attackers can exploit the vulnerability to force servers that use OpenSSL versions 1.0.1 through 1.0.1f to expose information from private memory space. That information can include confidential data; passwords, TLS session keys and long-term server private keys that allow decrypting past and future SSL traffic captured from the server.
The operators of those servers may not discover the loss of data.
Google found the bug early on and tried to fix it quietly. Facebook, Yahoo/Tumblr, Netflix were areas reported that they had been informed about the bug but were required to sign a no-disclosure agreement before receiving the repair instructions.
The Canadian security information service justified the unusual steps which had kept the existence of the heartbleed bug a secret from the public until Monday April 7, but news was only hitting the general public late Wednesday. The concern was that “…Malicious attackers could use the so-called “Heartbleed bug” to easily steal server encryption keys, usernames, passwords, instant messages, personal emails, transactions and sensitive business information from most of the world’s Web servers running the vulnerable software called OpenSSL.”
Canadians have been unable to file taxes online since the national system was taken offline for security reasons until the server for the national tax collection site can be repaired and hardened against attacks trying to take advantage of the weakness created by the heartbleed bug.
Given the overall lack of truthful information Americans have been receiving from the government these past few years, it is probable that the already problem-plagued Obamacare web site servers or one of the many localized servers which handle healthcare information have been targeted for personal information of those who were registered on the system.
While many major servers such as Google have released information stating that it is not necessary for users to change passwords, that may not be a bad idea.