This week, tech news websites have been raising the alarm about Heartbleed (a massive Internet security scare), and the mainstream media are slowly catching up. With this media exposure, a lot of non-technical people are uncertain of the risks, and consequently have a lot of questions. Below is a quick summary of the threat, and some recommendations of what you should do.
Please note that I am not a security expert, but through my work in IT, I have developed a strong interest in security. It is something I take seriously, and spend a lot of time thinking about. However, this guide comes with no guarantee: use it at your own risk.
In the beginning, all web traffic was unencrypted: this meant that information was sent across the Internet in plain text, readable by anyone on one of the Internet’s many backbone or ISP servers. In short, the Web had no security: if you sent a password, an email or a credit card number, there was a chance someone could read it. As commerce warmed to the Web, protection was added in the form of a technology called Secure Sockets Layer (SSL), which uses public key encryption to protection data in transit. If you visit a website whose address starts with https:// (instead of the normal http://), it means that SSL is in use, and your data is (in theory) protected.
Out of all of the different ways to use SSL, the most popular on the web is a library called OpenSSL, used on over half of all SSL-enabled Web servers on the Internet. For years it has proven to be stable, efficient and secure enough to literally power the world of electronic commerce. Heartbleed is a way of exploiting a weakness that appeared in OpenSSL two years ago, and seems to have gone unnoticed since. The nature of the attack (covered very well by the Ars Technica and the New Yorker) allows a clever attacker to bleed small amounts of information from a server, using a flaw in the design of OpenSSL’s heartbeat mechanism (hence the name heart+bleed). The information the attacker gets is completely random, but it can include passwords, credit card information and anything else recently accessed on the server. A persistent hacker can repeatedly attack the same server, bleeding information until something interesting turns up. Like, for instance, your username and password.
Despite the flaw in OpenSSL existing for over two years, it seems to have gone unnoticed until recently, when researchers at Google and Codenomicon uncovered it and took swift action to have it patched, before going public with the information. At least, that is the best case scenarios. Worst case is that other less scrupulous users have known about it, and have been exploiting it covertly for months. It leaves no trace, so we may never know.
The upshot is that thanks to some quick work on the part of many IT professionals, lots of servers are now protected against a Heartbleed attack. All the sites I have tested, including the majors (Google, Twitter, Facebook, Wikipedia) have been fixed, although it seems that an alarming number of servers are still vulnerable, presummably due to poor system administration.
What To Do
The first thing to do is stay rational, and understand that this attack may not be as bad as people are making out (the media live for sensation, remember). It is possible it was not discovered before Google, and the rapid response worldwide has nullified much of the threat. With that said, if you value your privacy, identity and money, then it is worth taking precautions nonetheless. Do keep in mind that any service you have used in the past two years might have been open to this attack, and you won’t know unless you do some work testing them out. With this said, I would recommend you do the following:
- Make a list of all the sites you use, from the most sensitive (email, bank) down to the least (lesser used services lacking important data).
- Test each of the sites on your list that you feel has some sensitive data, or that shares a password with a site with some sensitive data. There are quite a few tests available online, but this one seems to work well (as far as I can tell) and is very easy to use. Simply enter the site you want to test in the large text box, and hit the Go! button (screenshot).
- If a site passes the test (screenshot) it means the bug has been patched, or OpenSSL is not in use. This means it is safe to change your password, and even though the site may not have been compromised, you should. Login and choose a secure, new password (in theory this means preferably 8 characters, hard to guess, not used on other sites, but see notes below). If your account was compromised before the attack, it is now safe.
- If the site fails the test, it means that it is still vulnerable, and changing your password may, ironically, cause your account to be compromised. If you use the same password elsewhere, this could be bad news. For such sites, contact the site’s support team and share the results of the test with them. Ask why they have not patched their server yet. Once patched, change your password.
- If you run a site that uses HTTPS, you will want to update your cryptographic keys and certificates as soon as possible, as these might have been compromised, meaning any communications going forward may be at risk of interception.
Of course, if one of your accounts was compromised, data might have been taken from within it, and changing your password will not get that data back. If you have lost credit card details through this, your bank should refund the money as it is has not been lost through your negligence.
Two Notes On Passwords
- We all have a lot of passwords. We know they should all be different and complex and long, but few of us have the time, interest or energy for this. My recommendation is to have three levels of password: one that you use only for the most important sites (email, banking), one you use for sites you use a lot (Facebook, Twitter) and finally a throw away password for sites you don’t value. Each password should be 4 random words stuck together, to make it very long, with some numbers and punctuation thrown in to make it stronger (e.g. goatManicure72!FenceBanana). This should give you good protection in case of an attack. It will be easier to remember than a more random password, and very hard to crack. Please don’t use the example given above….it is no longer secure!
- Your email is the center of your online existence, and deserves the highest level of security. If someone can get into your email, they can reset all your other accounts, which you registered under the same address. Accordingly, I use 2-factor authentication on my Gmail accounts (personal and work). This requires me to receive and enter an SMS code any time I use my Google account on a new computer. A bit of a hassle, yes, but more than worth it when something like Heartbleed breaks out. Even if someone knows my password, without my phone they cannot use it.
This week has been a reminder that the Internet is an amazingly fragile resource which we all share and rely on. Hopefully lessons will be learned and applied by companies, coders and individuals in the wake of this extreme event.