The web bug known as Heartbleed has rocked the Internet world. After its discovery last week, Heartbleed continues to threaten personal information and sensitive data transmitted over the web daily. We chat with Alex Hilton, Founder and CEO of FroogaliT, about how the bug can affect average consumers and what people can do to protect themselves.
Read an interview with Alex Hilton.
What is the Heartbleed bug?
It is essentially a back door that was left open and no one closed it until now. Heartbleed is a protocol for calling into an SSL certificate. You got to PayPal which is a secure server for instance. Heartbleed was a missing protocol that caused vulnerability where sensitive data from sites like Facebook and Gmail could be accessed.
Heartbleed affected “Open SSL” – what does that mean?
Open SSL encryption software is different than open source. If I am creating it and not patenting it, then it is open source.
Open SSL is where the Heartbleed virus affected protocols. Open SSL is and stands for “secure socket layer” – and there is a protocol which basically gives you encryption functionality for your website. What was happening was the Heartbleed virus was basically tricking the computer with fake information. The computer then responded to hackers by giving them the stored memory. The big problem that they are figuring out is that it is undetectable and you don’t know it is happening. If your Gmail was hacked and they tell you to change your password and you do, the hacking still doesn’t go away.
How does it affect consumers or web users?
Basically, people got a hold of usernames and passwords. This is huge and people will be talking about it for a long time to come. Your personal information can be taken and you don’t even know it. They can take the info from you over email, instant messaging, etc. And people who have private networks are vulnerable too. Some solutions that can help for people on Open SSL - they can move to a fixed Open SSL.
Has this vulnerability always existed on the web?
There are always vulnerabilities on the web and back doors. This doesn’t actually exist, it is a virtual environment. Once this goes away, there will be another virus or vulnerability. This is the most recent out of the batch. There will be the next version of it.
How did it go unnoticed?
I have no idea. That would be a government-regulation question. Whoever does software checks; we always have people checking. I’m flabbergasted that this was open for so long.
Did hackers know about it before it was discovered?
The hackers have known about it because they have been taking advantage of the system. I know some of our guys would be considered hackers and they didn’t know about it. They were shocked.
A number of websites and businesses are vulnerable to it still?
Yes. Anybody that has open SSL. Right now, I just pulled up my Facebook and if you pull that up, it has a green lock logo that says it has been verified. But that might not actually be the case. Another option would be to not encrypt transmitted information.
What is the fix?
The fix is to move away from the Open SSL or receive a patch for the SSL certificate. The first step is identifying you have an issue with the Heartbleed virus. Once you do that, they need to fix the system; then users need to change passwords. What piqued my interest was Facebook said they don’t have suspicious account activity but to set up a new password. Everyone internally is fixing it - Tumblr, Twitter, Pinterest, Google, etc. Google themselves already applied the patches but Google Chrome has not. There is a lot of work to do.
Is online banking or banks themselves at risk?
When we do online transactions, we encrypt the software using our own method. The key is at the bank level and they are the only ones that can unlock it. So even if anyone stole that data, it is like junk mail and a bunch of gibberish that can’t be decoded.
What about external equipment like routers, printers, Androids, firewalls?
Yes, Android is Google so they run that software on the back end. Google will implement patches for it and send out a software fix. A consumer won’t really need to do anything. Credit cards run on a private network as well.
Any upticks in black market data trading?
Not that I have heard of at all really. I have been personally getting hit by spam mail from friends and family. Friends with Gmail addresses or Blackberry especially. I told them to change passwords but it kept happening.
Is this the worst thing that can happen to the internet?
I think taking away the freedom of the internet is the worst, but this here is just regulations needed over Open SSL being pumped into the marketplace. I would recommend that they use something else but I don’t want people looking at my software code. Target was a bigger deal in my mind. Really, what it comes down to is media sites and gaming sites - they will have your info. Once you confirm the system is patched, change your password and get a new card in case that info was stolen. We will see what happens. Amazon web services were hit pretty hard so we will see what happens there. I may be eating my words.
Can there be a guaranteed fix?
You can use Open SSL but you just have to remove that back door and identify where it came from. The company that has it needs to patch the hole. You are always going to have to protect from other breeches. At least you can fix this, then always be looking for other holes. They have specific people looking for this too.
It should be a quick fix on the software side once identified. And one thing the consumer can do is never use the same password across all accounts. You have to change them constantly and I refresh credit cards every other month. On my Facebook and accounts, I refresh those passwords quite often.
How do you keep track of all your passwords?
I keep them on a secure, locked place on my phone. People can have secure lockers on their computer or smartphone and copy/paste as you refresh. Then password-protect that in case you lose your phone or your computer gets stolen. And you don’t want to write it down. Implementing better anti-virus products and spyware is also necessary. AVG is a good antivirus product and free to download. And they have spyware too. I encourage people to look for security software and really start putting those practices into use. Mac claims their computers don’t get viruses but I don’t feel that way. I would rather protect myself. Even to Mac users, at least take that extra precaution.
Interview has been condensed and edited.
View a graphic of websites affected by the Heartbleed bug.
~Graphic by Taurean Small