The Heartbleed Bug was a major story not that long ago. Lists of affected websites circulated with instructions to change your passwords if you had accounts at those websites.
In the whirlwind of online news articles, a lot of jargon got tossed around that the average computer user may not be familiar with, and any time there is a knowledge gap, scammers can and do take advantage of it. Spam emails began to circulate claiming to include a Heartbleed removal tool that was, naturally, a malicious program itself. The attachment, if opened, installed a keylogger on victims’ computers, which could transmit sensitive information to criminals. Symantec has a fine article about this particular attack.
Of course, if you’re an old
hack hand at Computer Stuff like myself, you already knew that Heartbleed was a bug affecting servers, not a virus. But not everybody is familiar with all these terms, so I decided it would be useful to explain some of these concepts in layman’s terms.
DATA is digital information. If you’re looking at a website, your computer is taking data and presenting it in a readable, watchable, or listenable way. You’re looking at data, which happens to be mostly in text form, right now. When you have an account at Amazon or Facebook (for example), your username and password are part of your personal data, which is the stuff you don’t want being accessed by anyone but yourself. Websites keep this kind of data on servers that use various software to make it (hopefully) impossible to access by unauthorized people.
A SERVER is a big computer where data is stored. When you watch a video on YouTube, the digital information that makes up that video is stored on an incredibly large computer, which transmits that data to your computer, which turns it into a video you can watch. Companies such as Facebook and Google have multiple servers that fill entire buildings. Your employer may have a smaller server that looks like a regular desktop computer, which hold all the business’s customer data, and only employees have access to it. Same concept, different scale.
OpenSSL is a particular type of server software that was affected by the Heartbleed bug. You know how your desktop computer runs Windows or MacOS, and your phone runs Android or iOS? OpenSSL is pretty much the same type of thing for servers. Your home computer uses Windows or MacOS to do home computer things, some (but not all) servers use OpenSSL to do server things, like store huge customer databases.
A BUG is a flaw in a piece of software. You know how sometimes you download some goofy free app on your phone, and it works for a few seconds then crashes? That app has a bug that makes it function improperly. In the case of Heartbleed, the bug was a security flaw that potentially opened up account information (such as encrypted passwords) to hackers.
ENCRYPTED data has been scrambled in a way that unauthorized persons cannot access it. Servers don’t just store your username and password in text form because it would be too easy for someone to just steal the file and open it. They use complicated methods to make sure that, even if someone got the file, they wouldn’t be able to read it. (At least, this is how it would always work in a world without security bugs like Heartbleed; this is why you had to change your passwords at affected sites after the bug was fixed.)
HACKER: a person who breaks into computer networks. This in and of itself does not make them bad…many are actually hired to break in, in order to highlight security flaws so they can be fixed. Some use their skill for criminal purposes.
These are pretty simplistic explanations, but I think it’s important to at least have a concept of what these terms mean, so that when you read an article that says “security bug affecting servers running OpenSSL versions etc…” you can at least understand that they’re talking about software you’re NOT running on your home computer, and to ignore any emails offering a fix because Heartbleed wasn’t a virus in the first place.
But you’re not going to open attachments in any unsolicited emails, anyway, are you? If nothing else, remember this First Principle: “If you didn’t ask for it, don’t click on it.”