Editor's note: A previous version of this article incorrectly indicated that Fool.com was unaffected by Heartbleed. Those references have been removed. The Motley Fool's official response to Heartbleed can be found here.
There's a horrid security bug going around and you probably caught it already. Or rather, some of your favorite sites caught it and you'd be smart to change your passwords there. Disturbingly, this massive threat to online security and privacy comes from the very software that's supposed to protect our data flows.
How bad is it? Security expert Bruce Schneier calls it a "catastrophic" flaw. "On the scale of 1 to 10, this is an 11."
The bug is known as Heartbleed and lets attackers siphon random data out of Web servers with no risk of detection. Most of these random data chunks will be unreadable noise, but some of it may contain encryption keys, user logins and passwords, or credit card numbers, just to name a few sensitive data types. One tiny chunk at a time, it's possible to siphon out most of the server's memory contents.
The name refers to two technical aspects to the bug: reading data returned from a malformed "heartbeat" request and bleeding information out of the very heart of your system.
What happened?
Heartbleed is not related to the hacking attacks on Target (TGT 2.19%) last fall. That was a focused effort by criminals to ferret out credit card information from Target's systems and used sophisticated special-purpose software to get it done. Heartbleed is just a simple software bug and not a targeted attack, but the doors it opens lead to scary places that Target never had to visit.
It's been around for two years, and appears to have been exploited over the last five months. The memory-reading flaw affects millions of websites using the popular OpenSSL security package. Anything running on Linux or BSD systems of a certain vintage is up for grabs. Even elsewhere, popular Web server software such as Apache and nginx often use the affected software. Together, these two software solutions serve up 66% of all Web requests today, including more than 70% of the Internet's busiest sites.
Let's put our tinfoil hats away
The flaw was not introduced by the NSA, the CIA, Scotland Yard, or the Illuminati. It was a simple programming error made two years ago, forgetting to check the size and validity of a data request before sending out a response. The developer who made the error calls it a "trivial" mistake with "severe" consequences.
OpenSSL is open-source software, meaning that anybody could have found the error and submitted a patch to plug the Heartbleed memory hole. But despite its very heavy usage in the real world, few developers actually work on this package. Any bug is shallow and easily fixed, given enough eyeballs looking at the code -- but OpenSSL just didn't have enough of those flaw-finding eyeballs. That's why the bug wasn't detected for two years.
Intelligence agencies may very well have found and exploited the bug at some point, but it's impossible to find out unless Edward Snowden's unreleased papers talk about it.
What to do right now
So, what happened to your data and what does a regular Web surfer do now?
-
The good: Fixing the Heartbleed bug is very simple, and many sites have already patched their systems.
-
The bad: Smaller sites with lower IT budgets and less tech expertise may not have plugged this hole yet -- and some may never get around to it.
-
The ugly: Your sensitive data may already have been trawled out of vulnerable servers, even if the Heartbleed fix is in place today.
It's time to take action.
Mashable keeps a handy list of major sites, noting which of them were affected by Heartbleed and which passwords you should change right away.
Keep an eye on your email inbox. Site owners may reach out to let you know that something was amiss and that it's high time to update your passwords anyway. This is not spam but a serious call to action. For example, I got a note like that from Pinterest this morning:
If you're feeling proactive, there's a plugin for the Chrome browser that lets you know if a site you're visiting is vulnerable to Heartbleed. Install it and browse like you usually do and the tool will let you know when something's amiss.
Or you can go directly to the data source behind the Chrome plugin, checking sites by hand before stepping on potentially infected ground. This Heartbleed checker actually runs an attack on your behalf, extracting a handful of bytes just to see if it works. The tool works in any modern browser and, no, you don't get to see the snatched data. Also, keep in mind that this tool only tells you if a site is currently affected, not whether or not a site was affected.
So, it's not the end of the world, but you might want to go on a password-changing spree of epic proportions. And if you're just a little more paranoid, you might want to cancel every credit card you've ever used online and order up replacement cards. For once, that's not a crazy thing to do.