What you need to know about the Heartbleed security issue

21 May 2014

What is it?

The 'Heartbleed' security issue is a widespread problem with the way secure online services interact with your computers and devices. Specifically, given the right circumstances, a hacker could request secure information from a secure server which they should not be allowed to access.

How does it work?

1. Normally the user (i.e. your computer/device) asks the server for a word and specifies a number of characters e.g. Server if you are there, send me the word 'dog', 3 characters long. The server responds with the word 'dog'.

2. Once the hacker knows the server is vulnerable to this problem, the hacker can ask the server e.g. Server if you are there, send me the word 'cat', 240 characters long. The server responds with 'cat. Amy’s password is = I love cats, Username = Amy123, (and so on)'.

3. The server then sends the hacker the word cat, but also the contents of its memory up to 240 characters in this case.

4. These characters may include other user's passwords or secure sensitive information not usually available to them.

What is the problem?

This security issue has been on the internet for 2 years, and over two thirds of secure services online use this system in which the issue exist.

What is affected?

Online services that use a system called OpenSSL. These include some social networking sites, some financial/bank web sites, and some online business services. To see a list of affected sites (US Centric) see this Mashable page (external link).

What do I need to do?

Most of the affected sites should have notified you by now, if you need to change your password. Also, do not use the same password on different sites.

What don't I need to do?

Never respond by clicking links in emails to change your password, even if it appears legitimate. Always visit the site by typing www address into your browser.

Rest assured we will actively update/patch and change passwords on any devices and services that use this security system on your behalf. Another reason to have your Managed IT Services with us!

If you require any information please contact us on 1300 306 547.

Back to article list