A recently discovered encryption flaw in OpenSSL — a software used by many popular social networking websites, search engines, banks, and online shopping sites to keep personal and financial data secure — has potentially exposed a majority of the internet. Not all secure sites use OpenSSL (a secure site typically has an “https://” prefix and a little padlock in the address line), but about 66% of websites do … so it’s a big deal.
The bug is called Heartbleed because it piggybacks on a feature called heartbeat and it affects specific versions of the widely-used OpenSSL cryptographic library. Basically an error that was missed over two years ago in the open OpenSSL encryption protocol allows a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys which may allow an attacker to decrypt traffic or perform other attacks.
In other words, if someone knew this bug existed, they could intercept usernames, passwords, credit card details, and other sensitive information from a website’s server in plain text. It also allowed for a server’s private encryption keys to be stolen. Once stolen, these keys can be used by criminals to decrypt data sent between a website’s server and a user of that website. And, since it leaves no trace, system administrators would have no clue they were breached.
Renowned security expert Bruce Schneier said of Heartbleed, “On a scale of 1 to 10, it is an 11.”
What kinds of devices are impacted..?
MIT Technology Review explains the Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated.
Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected, says Philip Lieberman, president security company Lieberman Software. “ISPs now have millions of these devices with this bug in them,” he says. The same issue likely affects many companies, because plenty of enterprise-grade network hardware and industrial and business automation system also rely on OpenSSL, and those devices are also rarely updated.
Large-scale scans of Internet addresses have previously uncovered hundreds of thousands of devices — ranging from IT equipment to traffic control systems — that are improperly configured or have not been updated to patch known flaws. (See MIT’s 2013 article called “What happened when one man pinged the whole Internet” [i.e. 3.7 billion IP addresses] for some disturbing findings about these types of devices.)
So what does this mean to me..?
If you are a business, a developer or system administrator … upgrading to OpenSSL version 1.0.1g resolves this vulnerability, but realize SSL digital certificates are compromised too so they must be recertified. US-CERT recommends administrators and users review Vulnerability Note VU#720951 for additional information and mitigation details. There is also a way to disable the heartbeat handshake command (although it is best to upgrade) – visit http://heartbleed.com to learn more. Also … once your system is upgraded and recertified, businesses and site owners should notify all users the site is secure and encourage everyone to change their passwords as quickly as possible.
For everyone else … there’s not much we can do other than avoid the Internet (okay … so that’s not realistic) … but you can be proactive and verify all the sites you have accounts with are fixed and get ready to change passwords as explained below. As ZDNet writes… if your bank, favorite online merchant, email, cloud and/or software provider hasn’t fixed Heartbleed yet [or advised that their site didn’t use the buggy version], close your accounts and find new service providers.
What can I do to protect myself..?
Realize some sites don’t even use OpenSSL, others didn’t update to the 2012 version of SSL so they aren’t vulnerable, and many others have patched the Heartbleed flaw once it became known on April 7, 2014. And hopefully any and all websites impacted by this vulnerability notify users once their systems are updated and recertified and recommend everyone log on and change your passwords.
Yes, it is a pain and will be time-consuming, but you should get in the habit of changing passwords every few months anyway.
And realize there will be some scumbags who will take advantage of this Heartbleed scare so be on the lookout for phishing emails requesting you click a link to change your password. The best way to ensure the security and integrity of any of your accounts is to go directly to each website and log in there to manage your secure data.
Mashable has compiled a Heartbleed Hit List of sites possibly affected by this flaw and advises if you should change your password on sites like Facebook, Instagram, Tumbler, Google, Yahoo mail and more.
If you’re not sure if a site you use is vulnerable, visit https://www.ssllabs.com/ssltest/ to perform an analysis of the configuration of any SSL web server on the public Internet. (If everything’s green, it has probably been fixed.) Another tool you can use to check sites is http://filippo.io/Heartbleed/.
Also, if you use Chrome as your browser, they just released an app called Chromebleed that will test a site before you visit it and display a message if it’s affected by Heartbleed. (Note: Some early reviews weren’t so good so read description and reviews before installing.) But keep in mind these tools are just resources and may not be totally reliable.
The best solution is to visit each and every site you use that has sensitive information (e.g. banking, email, social media, etc.) to find out if they have posted a public statement or link about the Heartbleed issue — or maybe they weren’t even impacted or vulnerable — but hopefully they’ll say something online or in a newsletter.
If they don’t mention anything about Heartbleed, call, chat or email to ask if they had a problem with it. And if a site was fixed … you should change your password.
Many experts suggest the best thing to do is change all your passwords now. BUT… realize you may have to change some of them again since there may be some websites that are still buggy meaning the secure data is still vulnerable.
It’s totally your call, but it is wise to change your passwords often anyway … and you really should change them on any and all sites that have been patched.
Tips about passwords
- DO NOT use the same password for all your accounts! And make sure all your email accounts have unique passwords since hackers with access to your email can visit other web sites (e.g. banks, Paypal, email providers, etc.) and submit a “forgot my password” request and intercept the email with the reset password.
- If your password appears on the Top 50 most common passwords that hackers have exposed, make up new ones.
- Create long passwords (at least 8 characters long) using a combination of letters, numbers and special characters … change them often … and don’t share them with others. Consider using numbers or special characters in place of letters if using words, acronyms or phrases. For example, instead of using “ilovesunnydays” as a password, you could use “1loVe$unnyd@ys” to strengthen it.
- Pet and family names are not good to use since hackers or criminals may have access to your personal data and/or your posts on Twitter, Instagram, Facebook, etc.
- Don’t use the “remember my password” option on accounts that contain sensitive data (like credit card data, etc.) since 1) typing them every time can help you remember passwords … and 2) if your PC or handheld device got stolen the perp could potentially access your accounts.
- Some people invest in password manager services and apps, such as LastPass, KeePass, PasswordBox and 1Password, which keep track of passwords and suggest especially strong ones. However, some security experts warn against creating a single point of potential failure with all your passwords, especially if the service stores your passwords in the cloud. PCMag has some tips on various password managers.
- Make sure computers and all wireless devices have current anti-virus software and firewalls, schedule them to scan daily or weekly, and update virus patterns often. If you own or manage a business, encourage employees to protect their personal home devices too.
- Set security preferences as high as possible on Internet browsers and anti-virus packages.
- Although it is best to not open emails or attachments from unknown sources, that’s not always feasible – especially in the business world. But consider saving the attached files into a temporary directory and scan them before opening.
- See more tips about protecting your devices from cyber threats in our October 2013 enews
For more information about Heartbleed:
Heartbleed.com (official site with data + tips for developers and general public)
OpenSSL Project (OpenSSL community with updates, source code, etc.)
What you need to know about the Heartbleed bug (Good Q & A)
How Heartbleed Works (Good PC Mag SecurityWatch article)
Stay safe (and secure) out there! j & B