When news of the Heartbleed bug surfaced on April 7, 2014, it affected an estimated 17% of internet’s secure servers (or roughly half a million). While an update soon followed to fix this vulnerability, thousands of servers and millions of websites remain unprotected. Security experts have warned that users on Heartbleed-vulnerable sites could have their personal information stolen — credit card numbers, social security numbers, email addresses, logins, street addresses, etc. — even if they are using SSL encryption.
Heartbleed Hacker Arrested
Last week, 19-year-old Stephen Arthuro Solis-Reyes of London was arrested and charged by authorities for exploiting the Heartbleed bug. Canadian officials believe Solis-Reyes infiltrated the Canadian Revenue Agency’s (CRA) website and stole an estimated 900 Social Insurance numbers from Canadian taxpayers over a 6-hour period. The incident occurred just one day after the CRA’s website went down for maintenance due to the Hearbleed bug.
Solis-Reyes has been charged with one count of unauthorized Use of Computer and one count of Mischief in Relation to Data. Authorizes searched Solis-Reyes’ home, confiscating several computers and other equipment they believe may have been used in connection with the two crimes.
The 900 Canadian residents whose data was stolen should receive an official letter in the mail notifying them on the incident.
What Is The Heartbleed Bug?
Heartbleed is a serious security bug in the open-source encryption library OpenSSL. Websites using OpenSSL encryption are placed at risk for having prying eyes leering over their content. the
The website Heartbleed.com states the following about this critical vulnerability:
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”
The bug’s name comes from the communication technology between two or more networked computers. When computers talk to one another over a network, they send out a pulse, or heartbeat, to verify the connection is still active. The Heartbleed bug takes advantage of this fact by mimicking the characteristics of a real pulse; thus, tricking the server into thinking it’s been given access.
Security experts stress the importance of changing your passwords in wake of the Heartbleed bug, but even this may not be enough to completely prevent security intrusions. If the a site’s database was compromised before the fix, visitors’ information could be placed in the hands of individuals and/or organizations with nefarious intent.