Your Social Insurance Number and other data may have been stolen as a result of a security bug in code used by two-thirds of "secure" websites on the internet — including Canada Revenue Agency — as well as mobile apps, email and chat servers, VPN clients and hardware devices such as routers. Here's what you need to know.
What is Heartbleed?
Heartbleed is a security bug or programming error in popular versions of OpenSSL, software code that encrypts and protects the privacy of your password, banking information and other sensitive data you type into a "secure" website such as Canada Revenue Agency or Yahoo Mail. Such websites can be identified by the little "lock" icon on your browser or the "s" at the end of "https" before the web address.
Heartbleed is not a virus or malware, but could be exploited by malware and cybercriminals.
The vulnerability allows "anyone on the internet" to read the memory of the system protected by the bug-affected code. That way, they can get the keys needed to decode and read the data, according security researchers at the Finnish firm Codenomicon who discovered it.
The bug, named for the "heartbeat" part of the code that it affects, was independently discovered recently by Codenomicon and Google Security researcher Neel Mehta. The official name for the vulnerability is CVE-2014-0160.
The researchers have set up a website with more detailed information.
What can cybercriminals access by taking advantage of the bug?
User names, passwords, instant messages, emails, business documents and business communications were all accessible during tests by the researchers.
"This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users," they wrote on an website with information about the bug.
What internet services are affected?
According to Codenomicon, OpenSSL is the most popular open-source code used for encryption on the internet. The versions with the bug are used by:
- More than two-thirds of active websites on the internet.
- Many mobile apps.
- Email and chat servers.
- Virtual private networks, often used to access corporate resources from outside the office.
- Hardware devices such as routers.
Among those using the affected code was the Canada Revenue Agency website, which confirmed April 14 that that sensitive data, including 900 Social Insurance Numbers, had been stolen as a result of the bug. The public portions of the website were shut down April 9 to 13 deal with the security hole, just weeks before the Canadian tax deadline.
Yahoo, including its Tumblr blogging and Flickr photo sites, was also affected, but said it had patched most services by the afternoon of April 8.
A bigger list of popular sites and whether they are affected by Heartbleed has been compiled by the technology website Mashable.
University of Michigan researchers also posted a list of the Top 1,000 vulnerable domains as of April 9 at 4 p.m. ET. The only .ca domain was sunnewsnetwork.ca.
And Digital Trends has posted a list of affected mobile apps.
Codenomicon said many "large consumer sites" aren't affected because of their "conservative" choice of equipment and software.
"Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most," Codenomicon says.
Has my private information been stolen as a result of the bug?
For days, there were no confirmed reports of any information stolen as a result of the bug. However, on April 14, Canada Revenue Agency confirmed the Social Insurance Number theft. The agency is notifying the people via registered mail.
Late last week, White House intelligence officials denied that they had exploited Heartbleed to spy on internet users, contrary to a Bloomberg report based on interviews with two unnamed sources "familiar with the matter."
However, it's possible that the theft of personal information from you or other internet users has gone undetected.
Tests by security researchers showed that eavesdropping via the bug left no trace.
To make matters worse, the bug-affected code has been used by internet services for more than two years.
"I don't think anyone that had been using this technology is in a position to definitively say they weren't compromised," David Chartier, CEO of Codenomicon, told The Associated Press.
Security researchers detected large number of hackers scanning for the vulnerability across the internet this week.
There has even been one report of possible evidence that cybercriminals were using this back in November.
Can the bug be fixed?
Yes, but not by you.
A fixed version of OpenSSL was released on Monday, April 7. Websites and other services can be secured by using it or by disabling the affected part of the code. Then it needs to be incorporated into their software and the fixed software needs to be installed. That isn't always easy, especially for certain kinds of devices.
How can I protect myself?
Ari Takanen, chief technology officer for Codenomicon, advises you to wait for an official statement from the internet services you use (indicating that they have fixed the bug) and follow their guidelines.
Typically, that will involve things like changing your password. That is something you may have to do across many services you use.
However, steps like that are useless until the security hole has been fixed for the affected services.
"Changing before the service is patched could expose the new password," said a spokesperson for Google.
Unfortunately, many internet services have not been notifying their users directly about whether they are affected and whether they should change their password now or later.
However, recommendations about whether to change your password now for various sites have been posted by Mashable. Some additional recommendations for mobile apps are on a list compiled by Digital Trends.
In the meantime, a number of sites have have been set up where you can check if the web services you're using are vulnerable, including this one by LastPass password manager and this one, set up by Italian security researcher Filippo Valsorda.
You might want to stay away from sites identified as "vulnerable" for now.
However, these sites may not give an accurate result from all sites under all circumstances.
Security experts also recommend as a general rule that you use strong passwords that are different for different internet services and that you change them regularly.
So, specifically, where do I need to change my password? And what services are OK?
As mentioned earlier, the technology website Mashable has compiled a list of popular sites, with information about whether they were affected and suggestions about whether you need to change your password, and additional information abou affectedt mobile apps has been listed by Digital Trends.
Here's are some other services that are not on the list and how they may be affected:
- Android: According to the Google blog April 9, Heartbleed only affects Android 4.1.1 and patching information for Android 4.1.1 is being distributed to Android partners.
- BlackBerry's BBM service and Secure Work Space email: BlackBerry says it will issue a patch for iOS and Android versions by April 18.
- Canadian banks: Late April 9, Canadian Bankers' Association said there is no need for online banking customers to worry about their private information being stolen.
- Canada Revenue Agency: As of April 10, web services were still not available. The agency is expected to provide daily updates at 3 p.m. ET.
- Devices running VPN: Devices running the following software were affected: Cisco Systems Inc's AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs have either updated their software or published directions for users on how to mitigate potential attacks.