Understanding the Heartbleed bug

The Heartbleed bug has been widely reported over the last month, but what is it and how does it effect e-safety?

Firstly, let us just clear up a common confusion between the terms 'bug' and 'virus'. A bug is a mistake or error in a computer system which can cause a system to malfunction or to behave unexpectedly.

The term bug is derived from the days when computers used valves as opposed to transistors or solid state electronics and actual insects getting into the workings of a system would cause errors.

A virus, is a piece of often malicious software code which is designed to spread from computer to computer and usually has a mission to interfere with the running of that system or access data that shouldn't be available.

A bug may lead to a computer system having a security hole. A virus may be written to take advantage of that bug and thus circumvent system security.

However, it is not just a virus which may 'exploit' a bug. A known error in a system could for instance be utilised by remotely communicating with a computer system using software or direct input from a computer terminal.

So what is the Heartbleed bug?

In order to secure a 'session' between a user and a computer system on the Web, a protocol called SSL (Secure Sockets Layer) is used. The aim is to encrypt data sent over the internet so that is can only be understood by the sender and the intended recipient.

A protocol is a defined standard which software systems implement in order to communicate with other systems with their own implementation of the protocol.

In a Web application there are many protocols and patterns which need to be implemented and rather than building these from scratch for every single computer system, most software languages will utilise tried and tested libraries of common computation requirements, such as for instance the implementation of a protocol. This is good practice as it ensures consistency and in general reduces the amount of potential errors.

The protocol SSL is widely implemented in Web systems by using the library component OpenSSL and it was this piece of software which contained the error. This essentially meant that, once discovered the error could potentially be exploited to allow a third party to access a supposedly secure communication session and retrieve data it should not have access to.

Fixing the bug

Once discovered, the bug was fixed or patched within OpenSSL relatively quickly. The next step was for computer systems to apply the new fix to their servers.

Our own servers, which run this very Web application were patched on 8th April and are now secure against any Heartbleed exploits.

What's all this about needing to change my passwords?

There have been some very confusing mixed messages about whether a user needs to reset their passwords.

Firstly, the Heartbleed bug only effects systems which have used OpenSSL, however this is huge amount of systems, as a rule though, most banks do not fall into this category.

There is a list here on Mashable.com of the most commonly used Web sites together with advice as to whether or not they were vulnerable to Heartbleed and whether a password reset is recommended.

The Heartbleed bug potentially allowed a third party to obtain user details including email address and passwords for a system. 'If' this has happened then that system is no longer secure and the password should be reset. However, it is not know how many, if any systems were actually attacked and thus there is no way of knowing for sure for any given system whether a reset is required.

The risk is low, but ...

Many people tend to use the same password for multiple systems and so it is possible that an email address and password obtained for one single system might be useable to access any number of other systems. SO for instance if the password you use for a compromised system is the same password you use to access your email account, your email is no longer secure.

It is for this reason that resetting your passwords is recommended.

As a rule it is good practice to ensure you have secure (mixed case, letters, numbers and symbols) passwords which are unique to each system you access. It's also a good idea to change these passwords periodically.

For the more tech savvy reader, the ever excellent XKCD had a great cartoon explaining the specifics of the bug.

Written by E-safety Support on April 24, 2014 08:43

16-24s not concerned about virus protection on their mobiles

A new report from youth insights consultancy Voxburner into online security and data privacy reveals that only 19% of 16-24s use security software on their mobile device, compared to 87% who do so on their laptop or PC.

The vast majority of young people (93%) believe they have a high or good ability to deal with security threats across all their devices, whilst over half (58%) consider themselves only at minor risk.

Young males consider themselves to have a higher ability to spot dangers than their female counterparts. 45% of male 18-24s say they are very confident in their ability to avoid online security threats, compared to 28% of female 18-24s.

Commenting on the results Luke Mitchell, Head of Insights at Voxburner, says “Most young people regard themselves as advanced technology users who are experienced enough to recognise scams and avoid viruses, but it is surprising how little concern they show when it comes to their phone being at risk. There is an worrying assumption that they are safe from dangers on their mobiles.”

Zoe, aged 21 from Kingston upon Hull says, “I didn’t even know you could get antivirus for your phone. To be honest I don’t download anything on to my phone anyway so I don’t know how I could get a virus.”

Jess, aged 19 from Cardiff says, “I have heard of antivirus software for phones, however I think people chose not to get it due to the limited space available on their phones. Having an antivirus software might prevent people from having so many songs, or even apps and photos.”

The report also revealed young technology users are resistant to thumbprint scanning built into the lock screen of their phone. Even if it offers some benefits, 18-24s spoke of the disruption to their user experience - they value convenience and speed above improved security.

April, 19 from Reading says, “OTT much! And what if you need someone to use your phone quickly for you? For laptops I can just about understand it, or for a front door. But a phone? No way.”

Raphael aged 20 says, “It’s a pretty cool feature, but I’m not too keen on Apple having my fingerprints no matter how much they say it’s private and secure. It’s also not worth upgrading from the iPhone 5 for the new features.”

The full Online Security and Data Privacy report from Voxburner can be downloaded here..

Written by E-safety Support on March 04, 2014 10:56

Busting the digital native myth

We are hearing more and more about the ‘digital native’ generation – young people who have grown up with a world of information and technology at their fingertips. But does this culture of being in natural surroundings breed the expectation that this generation are also safe in the environment.

Let’s take a few steps back…

It’s fair to say, my Dad knows a thing or two about computers. He had the opportunity in the 1970’s of operating a computer, which (without exaggeration) filled an office the size of your average classroom. Moving into the early 80’s and we had the raft of personal computers that came onto the market (for the nostalgic, these included the ZX81 through to the Amstrad CPC – we really were cutting edge in our house!). So when the world wide web arrived, we had that too.

Having seen the developments over the years, this generation has also understood the need to proceed with caution. Things didn’t always go right. So as each new technology came onto the market, so did the need to understand the risks and perhaps steer clear. So my Dad, despite being familiar with all the technologies, doesn’t have any social media accounts and is planning on keeping it that way.

Moving onto the next generation (that’s me) and things are a little different. I was lucky enough to have a mobile phone when I was 19, it was a Motorola – the one that looked like a brick (and weighed about the same). You could make calls on it and that was it. I remember life before the internet and actually having to go to the library if I wanted to research something. Now for me, online activity is something that I will happily engage with, but I know to have different passwords, understand that emails asking for my bank details are most likely phishing and I know exactly who all my Facebook friends are.

So what about these digital natives. I recently asked some young relatives how they could access the internet. They spent the next few minutes reeling off a list of phone, TV, Xbox, laptop and so on. So they do understand that they have a vast amount of access to the internet, but now, going back to my Dad, he tells me that he has had to re-install his computer twice because something has been downloaded or accessed by one of the grandchildren that had put a virus on his machine. One of the kids also has a Facebook account, but doesn’t know personally all the people on it (just in case, I got his parents to check out his account), and another is regularly inviting comments about her and her friends on her profile page.

These are the things that indicate that this digital native generation, while completely comfortable in the online world, are not aware of the risks that they are taking, not to mention the digital footprint they are leaving behind. Is this familiarity with the social media world actually putting them more at risk than the cautious generations before them? The technological times are moving so fast, that simply keeping up is hard enough without having to keep up with the dangers too.

Perhaps it’s not a generation of digital natives, but rather one of the digitally naïve.

Written by E-safety Support on June 24, 2013 15:23


Join E-safety Support

  • Protect your pupils
  • Support your teachers
  • Deliver outstanding practice

Recent Stories
Story Tags
addiction anti_bullying_alliance anti-radicalisation apps ask.fm assembly avatars awards bett Breck_Foundation bug bullying BYOD calendar cber_bullying censorship ceop checklist child child_exploitation childline childnet child_protection childwise ClassDojo classroom competition cookies CPD creepshot CSE curriculum cyberbullying cyber_bullying cyber_crime cybersmile_foundation cybersurvey development devices DfE digital_citizenship digital_footprint digital_forensics digital_leaders digital_literacy digital_native digital_reputation digital_wellbeing eCadets education e-learning emoticon e-safe esafety e-safety e-safety, e-safety_support #esscomp #esstips ethics exa exploitation extreemism extremism extremism, facebook fantastict fapchat FAPZ film filtering freemium friendly_wifi gaming #GetSafeOnline glossary GoBubble gogadgetfree google governor grooming #GSODay2016 guidance hacker hacking icon information innovation inspection instragram internet internet_matters internet_of_things internet_safety into_film ipad iphone ipod irights IWF language leetspeak lesson like linkedin malware mental_health mobile monitor monitoring naace navigation neknominate netiquette network news NHCAW nomophobia nspcc NWG ofcom offline ofsted omegle online online_safety oracle parents phone Point2Protect policy pornography power_for_good pressure PREVENT primary privacy professional_development protection PSHE #pupilvoiceweek ratting rdi reporting research risk robots safeguarding safer_internet_day safety SCD2015 #SCD2016 school sdfsdf security self-harm selfie sexting sextortion ShareAware sid SID SID2016 SID2017 smartphone snapchat snappening social_media social_media, social_networking staff staff_training #standuptobullying statutory_guidance Stop_CSE stop_cyberbullying_day stress students survey swgfl SWGfL tablet teach teachers technology texting tootoot training TrainingToolz troll trolling twitter UKCCIS uk_safer_internet_centre UK_youth unplug2015 virus webinar website we_protect what_is_e-safety wifi wi-fi windows wizard yik_yak young_people youthworks youtube YPSI
Archive