Security alert level: really high. On Monday of this week, security professionals received a scary message: a bug, named Heartbleed, had been discovered in a widely-used release of the popular open-source security protocol OpenSSL. What makes this bug truly scary is that it allows anyone on the Internet to extract 64 KB of working memory from a server running an affected version of OpenSSL at any time. And, the bug has been around for two years. And, it’s impossible to know whether or not it’s been exploited before. And approximately two thirds of all web servers use OpenSSL. Get the picture?

So, how does it work? In short, the bug is a simple coding mistake. There’s no flaw in the SSL/TLS protocol specification, but there is a problem with the OpenSSL’s implementation of the heartbeat extension. When a client and server communicate, they exchange a handshake or “heartbeat” to ensure that both machines are working and are correctly identifiable. In the problematic heartbeat implementation, the client sends a certain amount of data to a certain section of the server’s memory. Then, the server sends the same amount of data back. A variable called payload checks to make sure that the amount of data returned is the same as the amount of data received.

Therein lies the issue. Because of the extraordinarily simple bug the server does not check to make sure that it actually received the amount of data that payload said it did, making it possible for the server to send back a certain amount of data from the memory address that the original command specified. The client could send no data whatsoever, but if it says it did than the server will send some back. The danger lies in the fact that computers do not actually delete files from memory until they are powered down. Instead, they mark the data as overwriteable. When the client does not send any data to overwrite the memory in the address specified by the heartbeat command, the server simply grabs some random data out of memory and sends it off. This data could be your bank account password, or worse, the encryption key or admin login to the server.

Next steps? Change all of your passwords. However, if the affected server has not been updated to a patched version of OpenSSL, any effort you make will be fruitless. A number of affected sites, like Yahoo, have already worked on updating their servers. This weekend will probably be a good time to change passwords as that gives affected sites some time for them to be patched.

For further reading and more in-depth explanations of Heartbleed, see these articles:

• http://heartbleed.com/
• http://www.theverge.com/2014/4/8/5594266/how-heartbleed-broke-the-internet
• http://www.thewire.com/technology/2014/04/what-you-need-to-know-about-heartbleed-the-new-security-bug-scaring-the-internet/360366/
• http://www.howtogeek.com/186735/htg-explains-what-the-heartbleed-bug-is-and-why-you-need-to-change-your-passwords-now/
• http://lifehacker.com/what-the-heartbleed-security-bug-means-for-you-1560801201
• http://gizmodo.com/how-heartbleed-works-the-code-behind-the-internets-se-1561341209
• http://gizmodo.com/heartbleed-why-the-internets-gaping-security-hole-is-1560812671

As of today, no more patches, hotfixes, security updates, or technical support will be provided for Windows XP. Time to upgrade to a new version of Windows, buy a new computer, switch to Linux or Mac, or take any Windows XP computers offline.

Image courtesy of the official Microsoft Windows XP support website.

Today I accidentally fell victim to something I knew about but was not watching for, thanks to CNET: adware. Knowing that CNET tends to unethically package junkware with their software downloads, I try my best to avoid them, but I was looking for a discontinued Dashboard widget for a Mac (iStat Pro, to be precise) and the only download I could find was through, of course, CNET. Well, I thought, I’ll take the plunge. I know about adware and can probably avoid any unwanted installations, right?

Unfortunately not. I got distracted at just the wrong time and clicked “Install” when I shouldn’t have. The result: my search engines in Chrome and Safari changed to Yahoo! and a plethora of Spigot adware and toolbars installed on a MacBook that I had just performed a clean install of Mavericks on. Worse yet, I had just signed in to Chrome and so my newly installed and unwanted extensions were now synced with the rest of my computers.

This is truly unacceptable behavior from a site that hosts downloads and even professes to be a reliable source of software. My recommendation is never to use CNET’s downloads again and to avoid any Spigot software. The photo below is the screen that I missed and which contained the options not to install a bunch of junk on my Mac.