Tech Talk Special Edition: What should you do about “HeartBleed?”
Saturday, April 12, 2014
A few days ago, news broke about a key vulnerability in the primary encryption method used to ensure the security of the web sites we use. If your eyes just glazed over during last sentence, it’s time to put a pot of coffee and see why this is a potential threat for you … and what you can do about.
The Story and the Danger
If you do Internet shopping, banking, and web-based email, you have made use of a “https” connection. This connection, also known as a SSL/TLS (Secure Socket Layer/Transport Layer Security) connection is designed to insure the privacy and security of your interaction.
The key provider of SSL/TLS is OpenSSL, an open-source project. As a majority of web servers, routers, and other network connection make use of OpenSSL, potential for stolen passwords and other critical data is high, especially since software designed to exploit this vulnerability has also been discovered.
While the vulnerability is limited to a couple of recent versions of OpenSSL, the pervasiveness of the protocol improves the chance your information can stolen and used.
How does this affect me?
Unlike the hacks at Target and other companies, this is not a localized threat. Using encrypted connections is at the heart of our Internet commerce. Since we all use credit cards, communicate with banks, and share passwords and other personal data over SSL/TSL connections, all that data could have been at risk.
The challenge in this case is that unless you encounter signs of theft (card card use, account hacking, identity theft), there is no way to determine whether your data has been compromised. In security blogger Brian Krebs' story on this topic, he quoted Jonathan Sander of Stealthbits Technologies as saying, “Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it.”
This sounds awful scary
Yes, it does, largely because of the uncertainties involved. There have been a lot of people who manage web sites working very hard to correct this problem. Sites like Tumbler, Facebook, Instagram, Pinterest, Dropbox, Intuit (Turbotax, Quicken) and Google announced their sites are now patched to prevent future incursions. The Canada Revenue agency shutdown its taxpayer sites until servers could be patched or features with the vulnerability are disabled.
Other sites that have NOT be affected according to company statements include Twitter, Microsoft services, Paypal, Amazon, AOL, and LinkedIn. Most major US banks and brokerages, according to Mashable.com are also safe from Heartbleed attacks, as a number of retailers, including Target!.
A scan of the top 10,000 web sites on April 8th, one day after the public announcement showed 630 still vulnerable to attack. A followup scan on April 10th showed this number down to 137.
So, one part of this problem, current vulnerability, is being addressed, by most web site owners. The window of vulnerability is closing.
The second part of the problem needs to be addressed by you to insure your protection.
What should I be doing?
Be prepared to change passwords on the affected web sites … once you know that the site has been able to correct the problem. It’s important to confirm that the site is now safe before changing passwords.
Key questions to answer:
Determine if the web site is affected by the vulnerability There are a few ways to figure this out if the web site that concerns you was not listed above.
Look for a notice on your website regarding OpenSSL or Heartbleed. Search for news accounts of your site and press releases it might have made.
If there is no information on the site, try using the Filippo Valsorda site to test it. This is a service set up by Filippo Valsorda, an Italian security expert. If your site passes, it is either because the vulnerability has been fixed or it wasn’t affected at all.
Change passwords on any sites that you believe had the vulnerability once the bug has been eliminated. The point of changing passwords is to eliminate further access to information using passwords acquired prior to the bug being fixed.
Keep an eye on your credit and accounts. Since we don’t know who, if anyone , might be affected during the two years this vulnerability was open, it’s a good idea to watch your credit card purchases and account information a little closer. If unusual activity occurs, report it promptly to the bank or account manager.
Why is this bug called Heartbleed?
The bug is based in an extension of OpenSSL called HeartBeat and takes its nickname from there. HeartBeat - that keeps the secure connection active - even when no data is being transmitted. Heartbleed allows someone to eavesdrop on communications and even impersonate services and users.
How bad is this, really?
From the Internet perspective, this is pretty bad and there are a lot people scrambling about to fix things. From your perspective, it could be bad if you haven’t changed passwords on vulnerable site once they are fixed.
In the long term, this is probably just a glitch from which we all will recover. In the meantime, taking the proper precautions will help it stay as a glitch for you.
Do you have a follow up on this topic or technical question on that needs to be answered or explored? Please share it with me at brian@bostonlegacyworks.com. Your question may show up here on Tech Talk.
0 comments:
Post a Comment