Department of Homeland security warns Americans of Heartbleed risk
In a message from the Department of Homeland Security (DHS), the government says it has reached out to “vendors and asset owners,” asking them to analyze their computer systems for the bug that leaves the machines open to a cybersecurity attack.
“While there have not been any reported attacks or malicious incidents involving this particular vulnerability confirmed at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems,” DHS said. “That is why everyone has a role to play to ensuring [sic] our nation’s cybersecurity."
DHS adds that it plans to "continue to work closely with federal, state, local and private sector partners to determine any potential impacts and help implement mitigation strategies as necessary.”
The Heartbleed bug was named by security professionals at Codenomicon and Neel Mehta of Google Security, who announced their discovery Monday. The bug allows attackers to access vast amounts of private information, including usernames, passwords, instant messages, personal emails, and more.
The bug itself was created by Robin Seggelmann, a 31-year-old Münster, Germany-based programmer, who wrote the error-filled code in December 2012. The code was part of OpenSSL, an open-source cryptographic protocol that enables Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption. SSL is a popular security technology that creates an “encrypted link between a web server and a browser,” as info.ssl.com explains it, and is used by millions of websites to protect data exchanged through servers.
Seggelman says he accidentally inserted the code, adding it could "be explained pretty easily” and that it was “a simple programming error.”
The bug has resulted in thousands of businesses (including Yahoo and Tumblr) asking their users to reset their passwords. On Wednesday, the Canadian government suspended its online tax collection service to make sure its systems were secure.
The only sure way to protect yourself from the bug is to avoid sites that are vulnerable. For sites that have fixed the bug, changing your password is one of the ways to protect your information. To see if your favorite sites have been affected, use Italian programmer Filippo Valsorda’s tool called the “Heartbleed Test.”
DHS has also provided the following list of tips on how further protect yourself against the bug:
Many commonly used websites are taking steps to ensure they are not affected by this vulnerability and letting the public know. Once you know the website is secure, change your passwords.
Closely monitor your email accounts, bank accounts, social media accounts, and other online assets for irregular or suspicious activity, such as abnormal purchases or messages
After a website you are visiting has addressed the vulnerability, ensure that if it requires personal information such as login credentials or credit card information, it is secure with the HTTPS identifier in the address bar. Look out for the “s”, as it means secure.