Why You Should Be Terrified of the Heartbleed Bug -- And What You Can Do About It

The Heartbleed bug is as scary as it sounds, potentially exposing every secret you ever shared online. Find out what it is, what it's doing, and how you can fight back.

Apr 10, 2014 at 2:00PM

Image source: Heartbleed.com.

Editor's note: A previous version of this article incorrectly indicated that Fool.com was unaffected by Heartbleed. Those references have been removed. The Motley Fool's official response to Heartbleed can be found here.

There's a horrid security bug going around and you probably caught it already. Or rather, some of your favorite sites caught it and you'd be smart to change your passwords there. Disturbingly, this massive threat to online security and privacy comes from the very software that's supposed to protect our data flows.

How bad is it? Security expert Bruce Schneier calls it a "catastrophic" flaw. "On the scale of 1 to 10, this is an 11."

The bug is known as Heartbleed and lets attackers siphon random data out of Web servers with no risk of detection. Most of these random data chunks will be unreadable noise, but some of it may contain encryption keys, user logins and passwords, or credit card numbers, just to name a few sensitive data types. One tiny chunk at a time, it's possible to siphon out most of the server's memory contents.

The name refers to two technical aspects to the bug: reading data returned from a malformed "heartbeat" request and bleeding information out of the very heart of your system.

What happened?
Heartbleed is not related to the hacking attacks on Target (NYSE:TGT) last fall. That was a focused effort by criminals to ferret out credit card information from Target's systems and used sophisticated special-purpose software to get it done. Heartbleed is just a simple software bug and not a targeted attack, but the doors it opens lead to scary places that Target never had to visit.

It's been around for two years, and appears to have been exploited over the last five months. The memory-reading flaw affects millions of websites using the popular OpenSSL security package. Anything running on Linux or BSD systems of a certain vintage is up for grabs. Even elsewhere, popular Web server software such as Apache and nginx often use the affected software. Together, these two software solutions serve up 66% of all Web requests today, including more than 70% of the Internet's busiest sites.

Source: Netcraft.com

Let's put our tinfoil hats away
The flaw was not introduced by the NSA, the CIA, Scotland Yard, or the Illuminati. It was a simple programming error made two years ago, forgetting to check the size and validity of a data request before sending out a response. The developer who made the error calls it a "trivial" mistake with "severe" consequences.

OpenSSL is open-source software, meaning that anybody could have found the error and submitted a patch to plug the Heartbleed memory hole. But despite its very heavy usage in the real world, few developers actually work on this package. Any bug is shallow and easily fixed, given enough eyeballs looking at the code -- but OpenSSL just didn't have enough of those flaw-finding eyeballs. That's why the bug wasn't detected for two years.

Intelligence agencies may very well have found and exploited the bug at some point, but it's impossible to find out unless Edward Snowden's unreleased papers talk about it.

What to do right now
So, what happened to your data and what does a regular Web surfer do now?

  • The good: Fixing the Heartbleed bug is very simple, and many sites have already patched their systems.

  • The bad: Smaller sites with lower IT budgets and less tech expertise may not have plugged this hole yet -- and some may never get around to it.

  • The ugly: Your sensitive data may already have been trawled out of vulnerable servers, even if the Heartbleed fix is in place today.

It's time to take action.

Mashable keeps a handy list of major sites, noting which of them were affected by Heartbleed and which passwords you should change right away.

Keep an eye on your email inbox. Site owners may reach out to let you know that something was amiss and that it's high time to update your passwords anyway. This is not spam but a serious call to action. For example, I got a note like that from Pinterest this morning:

Pinterest Note

If you're feeling proactive, there's a plugin for the Chrome browser that lets you know if a site you're visiting is vulnerable to Heartbleed. Install it and browse like you usually do and the tool will let you know when something's amiss.

Or you can go directly to the data source behind the Chrome plugin, checking sites by hand before stepping on potentially infected ground. This Heartbleed checker actually runs an attack on your behalf, extracting a handful of bytes just to see if it works. The tool works in any modern browser and, no, you don't get to see the snatched data. Also, keep in mind that this tool only tells you if a site is currently affected, not whether or not a site was affected.

So, it's not the end of the world, but you might want to go on a password-changing spree of epic proportions. And if you're just a little more paranoid, you might want to cancel every credit card you've ever used online and order up replacement cards. For once, that's not a crazy thing to do.

Thanks, Target: Your credit card may soon be completely worthless
Speaking of credit cards, the plastic in your wallet is about to go the way of the typewriter, the VCR, and the 8-track tape player. When it does, your wallet will get less vulnerable to hack attacks -- and a handful of investors could stand to get very rich. You can join them, but you must act now. An eye-opening new presentation reveals the full story on why your credit card is about to be worthless -- and highlights one little-known company sitting at the epicenter of an earth-shaking movement that could hand early investors the kind of profits we haven't seen since the dot-com days. Click here to watch this stunning video.

Anders Bylund has no position in any stocks mentioned. The Motley Fool has no position in any of the stocks mentioned. Try any of our Foolish newsletter services free for 30 days.

We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.

4 in 5 Americans Are Ignoring Buffett's Warning

Don't be one of them.

Jun 12, 2015 at 5:01PM

Admitting fear is difficult.

So you can imagine how shocked I was to find out Warren Buffett recently told a select number of investors about the cutting-edge technology that's keeping him awake at night.

This past May, The Motley Fool sent 8 of its best stock analysts to Omaha, Nebraska to attend the Berkshire Hathaway annual shareholder meeting. CEO Warren Buffett and Vice Chairman Charlie Munger fielded questions for nearly 6 hours.
The catch was: Attendees weren't allowed to record any of it. No audio. No video. 

Our team of analysts wrote down every single word Buffett and Munger uttered. Over 16,000 words. But only two words stood out to me as I read the detailed transcript of the event: "Real threat."

That's how Buffett responded when asked about this emerging market that is already expected to be worth more than $2 trillion in the U.S. alone. Google has already put some of its best engineers behind the technology powering this trend. 

The amazing thing is, while Buffett may be nervous, the rest of us can invest in this new industry BEFORE the old money realizes what hit them.

KPMG advises we're "on the cusp of revolutionary change" coming much "sooner than you think."

Even one legendary MIT professor had to recant his position that the technology was "beyond the capability of computer science." (He recently confessed to The Wall Street Journal that he's now a believer and amazed "how quickly this technology caught on.")

Yet according to one J.D. Power and Associates survey, only 1 in 5 Americans are even interested in this technology, much less ready to invest in it. Needless to say, you haven't missed your window of opportunity. 

Think about how many amazing technologies you've watched soar to new heights while you kick yourself thinking, "I knew about that technology before everyone was talking about it, but I just sat on my hands." 

Don't let that happen again. This time, it should be your family telling you, "I can't believe you knew about and invested in that technology so early on."

That's why I hope you take just a few minutes to access the exclusive research our team of analysts has put together on this industry and the one stock positioned to capitalize on this major shift.

Click here to learn about this incredible technology before Buffett stops being scared and starts buying!

David Hanson owns shares of Berkshire Hathaway and American Express. The Motley Fool recommends and owns shares of Berkshire Hathaway, Google, and Coca-Cola.We Fools don't all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.

©1995-2014 The Motley Fool. All rights reserved. | Privacy/Legal Information