People are on edge thanks to Heartbleed, a coding mistake that inadvertently laid waste to the security of many big online services.
The revelation this week shocked the world. And new reports coming out about Heartbleed only seem to inspire more worries, not less. The unfortunate result is a lot of misinformation going around.
Care to join me in a little debunking session? Here are some of the doozies I heard this week, and why they’re not true.
Myth #1: Heartbleed Is A Virus
This OpenSSL bug is not a virus. It’s a flaw, a simple coding error in the open-source encryption protocol used by many websites and other servers.
When it works as it should, OpenSSL helps ensure networked communication is protected from eavesdropping. (One clue that a website may be using it is when there’s a “HTTPS” in the Web address, with the extra “s”—although other forms of security do the same thing.)
So it’s a bug, a security hole that was accidentally left open, allowing others to surveil a communication or login event, as well as pull confidential data or other records out.
Myth #2: The Bug Only Affects Websites
Potential security breaches for servers and routers are massive issues, as they allow for the greatest amount of data to leak. And so, websites, online services and network servers tend to get the lion’s share of press. But they’re not the only potential targets.
The clients that communicate with those servers—i.e. your phones, laptops and other devices used to jump online or connect to other networks—are at risk too due to what’s increasingly being called “reverse Heartbleed.” What that means is that the data stored in your device’s memory could be up for grabs.
“Typically on the client, the memory is allocated just to that process that’s running. So you don’t necessarily get access to all the processes,” David Chartier, CEO of Codenomicon—the Finnish security firm that co-discovered Heartbleed—told ReadWrite. “[But] you can still leak contents of emails, documents and logins.”
The idea of unauthorized account and systems setting access can be particularly disconcerting for smart home users. I reached out to startups like SmartThings and Revolv, as well as Zonoff—the company powering Staples Connect’s smart home system—and iControl, which supplies the technology for services like Time Warner Cable, ADT, Comcast, Cox, Rogers and others.
SmartThings and Revolv have both patched the bug by updating their software to the latest version of OpenSSL. iControl reported back to me, saying that it doesn’t use OpenSSL. At press time, Zonoff wasn’t available for comment.
(Update: Zonoff also uses OpenSSL, but the company confirmed to ReadWrite that it has updated affected servers with the most recent software, thereby patching the vulnerability.)
Myth #3: Hackers Can Use It To Remote Control Your Phones
By all indications so far, a hacker can’t tunnel in directly using Heartbleed and take over control of your smartphone. Again, what’s at stake is the data stored in its memory, at least for those devices that haven’t been patched with the latest version of OpenSSL.
Even if it was possible, iPhones and most Androids are immune to Heartbleed, with one big exception—Android 4.1.1. Google, however, says patches will go out to cover this version of its mobile operating system. Overall, the fact that iOS and Android are largely unaffected must come as a relief, particularly given recent iOS security concerns on other fronts.
Of course, the apps these phones run might be another story. BlackBerry acknowledged that BBM for iOS and Android, for example, is vulnerable to Heartbleed. Attackers still wouldn’t be able to get into the device memory itself using it, but they might be able to listen in on insecure chats in progress. (Update: Blackberry says it is readying a BBM update to address Heartbleed.)
Myth #4: Windows XP Users Are Screwed Because Microsoft Abandoned Them
Completely false. Sure, the timing is bad. Microsoft said it won’t be supporting Windows XP just as Heartbleed panic set out across the land. But the tech company does not use OpenSSL.
That’s great news for the loads of PCs out there that still use the 14-year-old Windows operating system—which, at press time, made up more than a quarter of all running desktops. Because if it affected them, they’d be stranded with Heartbleed with no hope of a security update.
People running XP, indeed all Windows users, get the company’s own encryption component called Secure Channel (aka SChannel), and it’s not susceptible to this particular bug. However, it’s worth noting that XP users won’t get any further software support or updates for SChannel either.
The exceptions are Windows Azure users running Linux in Microsoft’s cloud service. These distributions rely on OpenSSL, so Microsoft urges these users to contact the distribution providers for the updated software. As for Mac OS X, Apple has officially declared it is not vulnerable to Heartbleed.
Myth #5: All Of Our Banks Are Open For Heartbleeding
The security flaw is serious, but it can’t pry open the virtual vaults at our top banks. In fact, American Banker, a news site for bank technologies, reports that no major banks are susceptible.
These companies have all announced that they don’t use OpenSSL, so they aren’t at risk:
- Bank of America
- Capital One Financial
- JPMorgan Chase
- TD Bank
- U.S. Bancorp
- Wells Fargo
- PNC Financial Services Group
Of course, there are many more banks and credit unions out there, which is why the Federal Financial Institutions Examination Council (FFIEC) urged “financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability.”
Furthermore, CNET’s check of high-trafficked websites shows that PayPal is not vulnerable to Heartbleed either. Neither are these major retailers, where people may store debit or credit card information:
(Looks like Target learned a thing or two from its major security breach late last year.)
So no, the Heartbleed glitch doesn’t throw open the doors of these banks and major stores, at least not directly. However, just because these sites and accounts aren’t subject to these hacks, it doesn’t mean that data is entirely safe. (See below.)
Myth #6: My ____ Site/Service Wasn’t At Risk Or Issued A Patch! I’m Safe Now.
Not quite. Heartbleed is insidious because it leaves no trace. That means there’s no way to tell if your information was stolen previously from a site or service that has now fixed it.
As for places that weren’t vulnerable to begin with, your accounts there may still be at risk, if that login information was stored or sent somewhere that was breached.
Here’s what it boils down to: You’ll want to change passwords everywhere, except on affected sites or services that haven’t patched the hole yet. But be sure to do it once they’ve updated their software. You’ll also want to check your credit, account statements and online activity to make sure no unauthorized entries appear.
Myth #7: NSA Has Been Using Heartbleed To Spy On Us
Citing unnamed sources, Bloomberg accused the National Security Agency of knowing about Heartbleed and keeping it quiet. But that’s not all. The agency wasn’t simply aware of the bug, says the report—it allegedly exploited the flaw for two years, using it to spy on Americans.
In light of the PRISM revelations, it’s all too easy to believe. Even before Bloomberg’s accusation, suspicions were high that the NSA was involved, with plenty of tweets flooding Twitter questioning the agency’s knowledge. It was as if a chorus of “Of course the NSA’s involved” rang throughout the Web.
But the NSA flatly denies it. The agency said it didn’t use the security hole—in fact, it claimed to be completely ignorant of the bug’s existence prior to the announcement going out.
There’s no way to know if the NSA is being honest with its denial; the agency’s credibility isn’t exactly at an all-time high. But there’s no hard proof that it has actually exploited Heartbleed for surveillance. So, for now anyway, it’s going in the “myth” pile.
See also: NSA Accused Of Exploiting Heartbleed For At Least Two Years, But Agency Denies
It’s difficult to imagine any federal authority or agency not being aware of such a serious security weakness that affects so many. But it’s not totally impossible. Just ask the Canada Revenue Agency. That government branch, which also used OpenSSL, had to shut down parts of its website temporarily because it was found to be vulnerable to Heartbleed as well. This just weeks before the Canadian tax deadline, to boot.
Have you heard any Heartbleed myths or untruths? Deposit them in the comments, so we can all debunk them.