What is this bug and should I be worried about it?
An online security loophole has sent a shudder across the globe; here’s what you need to know
Q
What is ‘ Heartbleed’?
A
It’s a computer bug reportedly detected last week by Internet security experts in Finland and researchers at Google, but only revealed widely within the online security community on Monday. Heartbleed affects open- source software called OpenSSL ( Secure Sockets Layer) that’s at the very core of millions of applications used to encrypt Internet communications. Heartbleed can reveal the contents of a computer server’s memory, including private data such as encrypted email, user names, passwords, documents and credit card numbers. It also allows hackers to obtain copies of a server’s digital keys, and use them to impersonate other servers and fool people into thinking they are using a legitimate website.
Q
How big a deal is it?
A
Experts warn that the bug’s effect on consumers could be “significant” but it appears no one’s really sure. It has been reported that up to 66 percent of websites use OpenSSL. The key factor appears to be whether malicious hackers knew about the vulnerability and exploited it — something that’s still unknown. One of the scariest aspects of Heartbleed is its ability to sneak in, steal important data and get out without leaving a trace.
Q
Who is affected?
A
The most high- profile domestic effect was the sudden decision by the Canada Revenue Agency to lock down its on line filing services, Efile and Netfile, as well as access to business and personal account data stored by its system. So there won’t be any E- filing until at least the weekend. Other federal systems are also being assessed for vulnerability to the threat. On the other end of the spectrum, the Canadian Bankers Association, which represents 59 domestic and foreign banks, said they’re not affected and customers who bank online have nothing to worry about. Canada’s three main political parties also seem like they won’t be leaking anyone’s personal information — tests run through an on line tool showed that they aren’t vulnerable.
Q Should I change all my passwords?
A
Yes — when you’re told to. Security experts around the globe are strongly advising every one to update all passwords, but note that until the site you’re using fixes the bug, it won’t help. So wait for confirmation that they’ve fixed the problem, and then update your information. “We always recommend that customers change their passwords regularly,” a TD Bank Group spokeswoman said Wednesday.
Q What’s be ing done to stop the “bleeding”?
A
A number of large global websites, including Google, Facebook and Yahoo, have said they are either in the process of fixing the problem or have already dealt with the threat. Facebook said it “added protections for Facebook’s implementations of OpenSSL before this issue was publicly disclosed, and we haven’t detected any signs of suspicious activity on people’s accounts.” Yahoo also said it had fixed the problem, but not before are searcher criticized the company’s “slow response” and demonstrated how he was able to use Heartbleed to force Yahoo to leak user names and passwords.