Is it all hype or has Heartbleed actually done damage?
While the Heartbleed bug has caused a great deal of anxiety by being touted as “one of the most serious computer security breaches of all time,” some people are not convinced it has caused any damage at all.
Calling it a bug, or virus, is not 100% accurate either; Heartbleed is actually a weakness in systems running OpenSSL. These are sites that begin with “https://” rather than “http://” The Heartbleed weakness creates a window through which hackers can bypass encryption. So, how serious is Heartbleed?
In a way, it depends on who you ask. There have been several reported instances of Heartbleed-related problems:
Heartbleed was used to attack a “major corporation.” Hackers used the Heartbleed vulnerability to break into a major corporation’s network, and then to further attack an employee’s virtual private network (VPN). Their intent seemed to be to use the VPN to move laterally and escalate privileges. The name of the corporation was not mentioned, nor the extent of the damage.
A Canadian attacker used the Heartbleed “bug” against the Canadian Revenue Agency to capture approximately 900 social insurance numbers (SINs), comparable to our social security numbers. While the attacker was arrested, they do not know what happened to the numbers, so identity theft becomes the primary concern here.
Mumsnet forced all 1.5 million users to change their passwords because they believed Heartbleed attackers had gained access to users’ passwords and messages. This poses a large security risk, not just for the Mumsnet site, but elsewhere; if hackers were able to view a user password and gain access to their accounts, they would also be able to see the user’s email address. Many of us use the same password for multiple accounts and sites, so it stands to reason that the hackers would attempt to use your password to gain access to your email and other favorite sites (which they can see by reading you emails). Tip: change your email password to something you only use for email. Do this for your bank account as well.
And the kicker is that the NSA knew
The shocker: Bloomberg reports that the NSA knew about the Heartbleed vulnerability for the past two years and chose to exploit it, rather than prevent it.
The bottom line: there really is no way to tell, yet, exactly how much damage the Heartbleed vulnerability has caused. Some people affected by the virus have not yet come forward, as it would be an admission that their encryption was weak. It is simply easier to deal with the problem internally. However, it is clear some of the anxiety is justified because Heartbleed has done damage.