What should you do about “HeartBleed?”

The following was originally posted on the Shoreline Area News, March 13, 2014 as part of the Tech Talk series

Last Monday, news broke about a key vulnerability in the primary encryption method used to ensure the security of the web sites we use. If your eyes just glazed over during that last sentence, it’s time to put a pot of coffee and see why this is a potential threat for you…and what you can do about.

The Story and the Danger
If you do Internet shopping, banking, and web-based email, you have made use of a “https” connection. This connection, also known as a SSL/TLS (Secure Socket Layer/Transport Layer Security) connection is designed to insure the privacy and security of your interaction.

The key provider of SSL/TLS is OpenSSL, an open-source project. As a majority of web servers, routers, and other network connection make use of OpenSSL, potential for stolen passwords and other critical data is high, especially since software designed to exploit this vulnerability has also been discovered.

While the vulnerability is limited to a couple of recent versions of OpenSSL, the pervasiveness of the protocol improves the chance your information can be stolen and used.

How does this affect me?
Unlike the hacks at Target and other companies, this is not a localized threat. Using encrypted connections is at the heart of our Internet commerce and communication. Since we all use credit cards, communicate with banks, and share passwords and other personal data over SSL/TSL connections, that data could have been at risk.

The challenge in this case is that unless you encounter signs of theft (card card use, account hacking, identity theft), there is no way to determine whether your data has been compromised. In security blogger Brian Kreb’s story on this topic, he quoted Jonathan Sander of Stealthbits Technologies as saying, “Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it.”

This sounds awful scary…
Yes, it does, largely because of the uncertainties involved. There have been a lot of people who manage web sites working very hard to correct this problem. Sites like Tumbler, Facebook, Instagram, Pinterest, Dropbox, Intuit (Turbotax, Quicken) and Google announced their sites are now patched to prevent future incursions. The Canada Revenue agency shutdown its taxpayer sites until servers could be patched or features with the vulnerability are disabled.

Other sites that have NOT be affected according to company statements include Twitter, Microsoft services, Paypal, Amazon, AOL, and LinkedIn. Most major US banks and brokerages, according to Mashable.com are also safe from Heartbleed attacks, as a number of regular retailers, including Target.

…but is getting better.
Over the last week, web sites that have been affected have been fixing Heartbleed so they are no longer vulnerable. A scan of the top 10,000 web sites on April 8th, one day after the public announcement showed 630 still vulnerable to attack. A follow up scan on April10th showed this number at 137. By the 11th, this was down to 104 sites. This is a service set up by Filippo Valsorda, an Italian security expert.

So, one part of this problem, current vulnerability, is being addressed, by most web site owners. That window of vulnerability is closing.

However, the danger isn’t over until you take some actions. After all, this bug was in place for two years and there is a chance that your passwords and other personal information have already been taken for use or sale. You now need to reduce your own vulnerability.

What should I be doing?
Be prepared to change passwords on the affected web sites…once you know that the site has been able to correct the problem. It’s important to confirm that the site is now safe before changing passwords.

Key questions to answer:

Determine if the web site is affected by the vulnerability There are a few ways to figure this out if the web site that concerns you was not listed above.

Look for a notice on your website regarding OpenSSL or Heartbleed. Search for news accounts of your site and press releases it might have made. Many sites have sent emails over the last few days advising their customers about the site’s vulnerability or need to change passwords. Check your Spam or Junk Mail folder in case the message was diverted there.
Besides Mashable’s list, you can look on this comparison list Filippo Valsorda built using his lists of the top ten thousand web sites to see if your web site was listed as vulnerable. Filippo has listed site that were vulnerable earlier in the week and whether they are is still vulnerable.

Lastly Filippo has a test site at http://filippo.io/Heartbleed/. If your site passes, it is either because the vulnerability has been fixed or it wasn’t affected at all.

Change passwords on any sites that you believe had the vulnerability once the bug has been eliminated. The point of changing passwords is to eliminate further access to information using passwords acquired prior to the bug being fixed.

Keep an eye on your credit and accounts. Since we don’t know who, if anyone , might be affected during the two years this vulnerability was open, it’s a good idea to watch your credit card purchases and account information a little closer. If unusual activity occurs, report it promptly to the institution or site account manager

Why this bug is called Heartbleed
The bug is based in an extension of OpenSSL called HeartBeat. HeartBeat. that keeps the secure connection active, even when no data is being transmitted. Heartbleed allows someone to eavesdrop on communications and even impersonate services and users.

If you are interested is in how something like Heartbleed works, this comic rendition by Randall Munroe of xkcd.com does a great job of explaining it.

How bad is this, really?

From the Internet perspective, this is pretty bad and a lot people have been scrambling about to fix things. From your perspective, it could be bad if you haven’t changed passwords on vulnerable site once they are fixed.

In the long term, this is probably just a glitch from which we all will recover. In the meantime, taking the proper precautions will help it stay as a glitch for you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s