Heartbleed Computer Vulnerability – What you need to know now and how to respond.

20140413su-heartbleed-640x300

On April 13 I had an interview with Justin Andrews of KWWL. We discussed the Heartbleed security exploit and what consumers can do to protect themselves. Click here to view the interview and read the KWWL story. If you have questions about this and other computing security concerns, feel free to contact me. This document was originally posted on April 13 and remains mostly the same as it did originally.

“Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.” ~ CodeNomicon

20140418fr-symantec-heartbleed-quote-500x500

Understanding the Heartbleed Vulnerability

Here are some points that should be emphasized regarding the Heartbleed security exploit:

  • Programming Oversight. The Heartbleed exploit was not the creation of hackers. For this reason, it is unlike viruses, malware, spyware, denial of service attacks, and botnets,  It is the result of a programming oversight. Similar security vulnerabilities have been repeatedly discovered in software from Adobe and Microsoft. However, these are usually identified and quickly patched. The Heartbleed vulnerability went undiscovered for two years. This gave hackers a significant window of opportunity to take advantage of the vulnerability and gather information.
  • Impact Unknown. The nature of the exploit, and the fact that it went undetected so long, make it difficult to know the full impact. Organizations and businesses have been reluctant to disclose the impact of the vulnerability because that may expose them to criticism and it also would disclose confidential information about the security and encryption protocols they use. Some companies are coming forward to let consumers know they should change their login credentials.

Taking Action – Summary

This is still a developing story. There’s a growing list of hardware devices that are known to be impacted, such as 50 million Android and Blackberry devices. These will need to be updated or replaced. In general, you should change your passwords on all online user accounts, starting with your email accounts. However, for any system not yet patched, you may want to change your password now and then again after it has been patched.

Change Email Passwords First

As you may have noticed, most online accounts have a “I forgot my password” option that sends a password reset to the email account on file. This means that every website you use can be easily accessed by anyone who has your email account login details. They simply need to review your emails for bank, health, investing, shopping, and other sites. Then, go to those sites and click the password recovery link. It’s that simple. So, your email account is a like master key to all other accounts. For this reason, it should have a very secure password. You may wish to have two or three separate email accounts, with one rarely used that is for higher security purposes. When a security breech like Heartbleed takes place, it’s important to update your email passwords first because updating your other accounts won’t be secure until your email is secure.

Password Manager

Because confidential account information includes authentication questions, account numbers, and other personal identity details, it’s important to have a secure encrypted digital lock-box where this information can be stored. Password managers provide an encrypted database where you can securely store all of your account information. Most have the ability to synchronize data locally (on your local WiFi network) between devices. This makes it more feasible to have complex passwords and diverse authentication questions. An example of a password manager is 1Password by Agilebits.

Strong Passwords

Most systems enforce strong passwords and won’t allow you to use a short, simple, easy to guess, or previously used password. Here are some general guidelines for creating  a strong password.

A secure password should:

  • Be at least 10 characters
  • Have at least two lower case characters
  • Have at least two capital letters
  • Have at least two number
  • Have at least one special character (such as * # % !)
  • Note have multiple identical consecutive characters as a way to make the password longer (such as Password7777777)
  • Not include the account name or account owner name
  • Not be a common password
  • Not be used in the past year
  • Not be the same or similar to any other online account
  • Not be the same as your previous 10 passwords

Tools

These are some of the tools provided to help respond to this bug. It’s reported that 95% of web tools don’t work. So, you shouldn’t rely entirely on these tools, but if one reports that you’re vulnerable that may be a helpful indicator.

Two-Factor Authentication

Some websites now offer two-factor authentication, also known as two-step authentication or multi-factor authentication. These include sites such as WordPress.com and Gmail. In addition to being required to enter your username and password, an additional piece of randomly generated information is required to login. This reduces unauthorized access to accounts.

For example, the Google Authenticator is an app that runs on your smartphone. It is continuously generating random codes that are good for a short period of time before expiring. An active good code is required to access accounts protected by their two-step authentication system.

Websites Impacted by Heartbleed

A few websites have been doing a good job of maintaining lists of websites that were impacted by Heartbleed as well as some that weren’t. There are some websites that we don’t yet have information about. Review the following reports for more details about which accounts may be more vulnerable than others.

Impacted Hardware & Software

A variety of hardware products and systems may be impacted, as well as some software. The articles here offer more information about certain systems that may be impacted. This is not a comprehensive list.

Don’t Be Over Confident

Some companies and organizations have been quick to announce that they aren’t impacted, or that they’ve patched their website.

As you might imagine from the long list of impacted hardware and software above, it’s actually difficult for an organization to have and immediate comprehensive understanding of the impact.

While a company’s website might not have been using OpenSSL, other services they rely on, third party websites, and hardware devices could be vulnerable. That takes time to discover and fix.

Additionally, even if a company’s public-facing website(s) or resources have been patched or weren’t effected, it’s common for users to have the same login and password on multiple systems. So, if they interacted elsewhere with a vulnerable system, the could be impacted.

Regardless of what an organization or company claims, there will likely be some ripple effects and long-term impact of the OpenSSL vulnerability. So, it’s best to be cautious and careful in this regard.

Additional Reading

Further Assistance

If you have questions about this and other computing security concerns, feel free to contact me.

Page Visits

The maps below show recent page visits. Click an image for a larger gallery view.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.