Since the massive Target TGT security breach news, cyber security has become a household term.
But the latest announced breach could involve even larger amounts of people, and nearly everybody using the Internet could be at risk.
It’s called the Heartbleed Bug. The reason you likely haven’t heard about it is because it ranks high on the techno-geek scale. Here’s how it works.
The bug is a vulnerability in OpenSSL, a popular encryption software package. OpenSSL is used by many major companies, including Google, Yahoo and Facebook. When you input sensitive information like a credit card number or password into a website, it’s encrypted so thieves can’t intercept it. The encryption technology is called SSL -- and OpenSSL is the software that powers most SSL technology.
Intercepting The Heartbeat
On Monday, researchers announced that a bug in the OpenSSL software exposes sensitive user data to spying -- and that the bug had been present for about two years.
So why is it called the Heartbleed Bug? Before an SSL connection is established, the sending computer sends a signal, called the heartbeat, to the other computer to make sure it’s online. Researchers found that thieves could send a message that tricks the computer into giving up secret information: in this case, the contents of the computer’s memory or RAM.
One of the scariest pieces of information accessible through the bug are the unlock codes that allow thieves to unencrypt sensitive data.
Don’t understand all of this techno-geek talk? Here’s what it comes down to and here’s why everybody should know about this.
The Target security breach involved one computer system. If you didn’t shop at Target, you weren’t affected -- but this breach affects two-thirds of all sites on the Internet. If you’ve entered sensitive information into a website at any time in the past, you could be a victim.
Putting In A Fix
If it’s such a big deal, why isn’t this front-page news?
Because this bug was discovered by a research team who alerted OpenSSL before announcing the find. OpenSSL created a fix and pushed it out to users before the find was publically announced. There are no reports of user data being compromised at this time. Some experts have reported that this could have been exploited by agencies like the NSA, but there’s no proof of that, either.
The bigger companies have likely applied the fix already. According to a Google spokesperson, "We have assessed the SSL vulnerability and applied patches to key Google services."
Unfortunately, there’s nothing consumers can do to protect themselves -- other than change their sensitive information once a website has applied the fix. For now, vigilance in monitoring credit card statements, credit reports and other sensitive information is the best defense.
Disclosure: At the time of this writing, Tim Parker had no position in the companies mentioned.
© 2022 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.