On April 13 I had an interview with Justin Andrews of KWWL. We discussed the Heartbleed security exploit and what consumers can do to protect themselves. Click here to view the interview and read the KWWL story. If you have questions about this and other computing security concerns, feel free to contact me. This document was originally posted on April 13 and remains mostly the same as it did originally.
“Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.” ~ CodeNomicon
Understanding the Heartbleed Vulnerability
Here are some points that should be emphasized regarding the Heartbleed security exploit:
- Programming Oversight. The Heartbleed exploit was not the creation of hackers. For this reason, it is unlike viruses, malware, spyware, denial of service attacks, and botnets, It is the result of a programming oversight. Similar security vulnerabilities have been repeatedly discovered in software from Adobe and Microsoft. However, these are usually identified and quickly patched. The Heartbleed vulnerability went undiscovered for two years. This gave hackers a significant window of opportunity to take advantage of the vulnerability and gather information.
- Impact Unknown. The nature of the exploit, and the fact that it went undetected so long, make it difficult to know the full impact. Organizations and businesses have been reluctant to disclose the impact of the vulnerability because that may expose them to criticism and it also would disclose confidential information about the security and encryption protocols they use. Some companies are coming forward to let consumers know they should change their login credentials.
Taking Action – Summary
This is still a developing story. There’s a growing list of hardware devices that are known to be impacted, such as 50 million Android and Blackberry devices. These will need to be updated or replaced. In general, you should change your passwords on all online user accounts, starting with your email accounts. However, for any system not yet patched, you may want to change your password now and then again after it has been patched.
Change Email Passwords First
As you may have noticed, most online accounts have a “I forgot my password” option that sends a password reset to the email account on file. This means that every website you use can be easily accessed by anyone who has your email account login details. They simply need to review your emails for bank, health, investing, shopping, and other sites. Then, go to those sites and click the password recovery link. It’s that simple. So, your email account is a like master key to all other accounts. For this reason, it should have a very secure password. You may wish to have two or three separate email accounts, with one rarely used that is for higher security purposes. When a security breech like Heartbleed takes place, it’s important to update your email passwords first because updating your other accounts won’t be secure until your email is secure.
Because confidential account information includes authentication questions, account numbers, and other personal identity details, it’s important to have a secure encrypted digital lock-box where this information can be stored. Password managers provide an encrypted database where you can securely store all of your account information. Most have the ability to synchronize data locally (on your local WiFi network) between devices. This makes it more feasible to have complex passwords and diverse authentication questions. An example of a password manager is 1Password by Agilebits.
Most systems enforce strong passwords and won’t allow you to use a short, simple, easy to guess, or previously used password. Here are some general guidelines for creating a strong password.
A secure password should:
- Be at least 10 characters
- Have at least two lower case characters
- Have at least two capital letters
- Have at least two number
- Have at least one special character (such as * # % !)
- Note have multiple identical consecutive characters as a way to make the password longer (such as Password7777777)
- Not include the account name or account owner name
- Not be a common password
- Not be used in the past year
- Not be the same or similar to any other online account
- Not be the same as your previous 10 passwords
These are some of the tools provided to help respond to this bug. It’s reported that 95% of web tools don’t work. So, you shouldn’t rely entirely on these tools, but if one reports that you’re vulnerable that may be a helpful indicator.
- Android – “Heartbleed Detector: Check If Your Android OS Is Vulnerable with Our App” (by Lookout.com)
Some websites now offer two-factor authentication, also known as two-step authentication or multi-factor authentication. These include sites such as WordPress.com and Gmail. In addition to being required to enter your username and password, an additional piece of randomly generated information is required to login. This reduces unauthorized access to accounts.
For example, the Google Authenticator is an app that runs on your smartphone. It is continuously generating random codes that are good for a short period of time before expiring. An active good code is required to access accounts protected by their two-step authentication system.
Websites Impacted by Heartbleed
A few websites have been doing a good job of maintaining lists of websites that were impacted by Heartbleed as well as some that weren’t. There are some websites that we don’t yet have information about. Review the following reports for more details about which accounts may be more vulnerable than others.
- CNET – Heartbleed bug: Check which sites have been patched
- Mashable – The Heartbleed Hit List: The Passwords You Need to Change Right Now
Impacted Hardware & Software
A variety of hardware products and systems may be impacted, as well as some software. The articles here offer more information about certain systems that may be impacted. This is not a comprehensive list.
- Android – “Heartbleed Bug Puts Millions Of Android Devices At Risk” (Huffington Post, 15 April 2014) and “Heartbleed makes 50 million Android phones vulnerable, data shows” (The Guardian, 15 April 2014)
- Blackberry – “Blackberry plans Heartbleed patches as mobile threat scrutinized” (Reuters 13 April 2014) See Blackberry Heartbleed page for more details.
- Cisco Products – “Which Cisco Routers, Modems and Networking Gear are Affected by and Safe from the Heartbleed Bug” (Digital Trends
- Dell Servers – “Server makers rushing out Heartbleed patches“
- Google Services – “Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed bug)” (Google, 9 April 2014)
- Hewlett-Packard Servers – “Server makers rushing out Heartbleed patches“
- IBM Servers – “Server makers rushing out Heartbleed patches“
Don’t Be Over Confident
Some companies and organizations have been quick to announce that they aren’t impacted, or that they’ve patched their website.
As you might imagine from the long list of impacted hardware and software above, it’s actually difficult for an organization to have and immediate comprehensive understanding of the impact.
While a company’s website might not have been using OpenSSL, other services they rely on, third party websites, and hardware devices could be vulnerable. That takes time to discover and fix.
Additionally, even if a company’s public-facing website(s) or resources have been patched or weren’t effected, it’s common for users to have the same login and password on multiple systems. So, if they interacted elsewhere with a vulnerable system, the could be impacted.
Regardless of what an organization or company claims, there will likely be some ripple effects and long-term impact of the OpenSSL vulnerability. So, it’s best to be cautious and careful in this regard.
- Agilebits – “Heartbleed: Imagine no SSL encryption, it’s scary if you try“
- Agilebits – “1Password, Heartbleed, and You“
- CBC – “Heartbleed bug shows governments slow to react” (15 April 2014)
- CBC – “Heartbleed bug: RCMP asked Revenue Canada to delay news of SIN thefts – Tax agency waited until Monday to reveal that Heartbleed bug led to 900 social insurance numbers being stolen” (14 April 2014)
- Daily Iowan – “Editorial: Heartbleed endangers the Internet – The Daily Iowan” (15 April 2014)
- Daily Iowan – “No Heartbleed here, UI says” (15 April 2014)
- DigitalTrends.com – “Heartbleed Bug Claims 900 Canadian Taxpayers as its First Victims” (11 April 2014)
- The Guardian – “Heartbleed: don’t rush to update passwords, security experts warn” (9 April 2014)
- The Guardian – “Heartbleed bug: what do you actually need to do to stay secure?” (10 April 2014)
- New York Times – “Study Finds No Evidence of Heartbleed Attacks Before the Bug Was Exposed” (16 April 2014)
If you have questions about this and other computing security concerns, feel free to contact me.
The maps below show recent page visits. Click an image for a larger gallery view.