Put on your Heartbleed – THDP14

heartbleed3First, what is Heartbleed?

It is a “security bug” that gives hackers the ability to decipher encrypted data (such as OpenSSL).  It has been exposing personal data such as user names, passwords, credit card payment data……basically anything that is used while making an online purchase transaction. It has been present in the popular Web encryption tool OpenSSL (Secure Sockets Layer) for about two years before it was exposed earlier in April.   Heartbleed got its name (according to Sharon Gaudin in an article for Computerworld that appeared April 10, 2014) because it affects an SSL extension software programmers call Heartbeat.  Though the bug affected a broad swath of websites and was found in many models of server and network equipment, reports of Heartbleed attacks only started to emerge after the flaw had been disclosed.

So, what is Open SSL?

First of all, SSL stands for Secure Sockets Layer.  It is a standard security technology that creates a secure link between the server and client (client being you).  When this is established you can then go about your business (such as banking, purchasing, filling out forms — like health care info knowing your credentials are being trasnsmitted securely.  The OpenSSL project was founded in 1998 to invent a free set of encryption tools for the code used on the Internet. As of 2014 two thirds of all webservers use it.   As with other “open source” projects, OpenSSL depends on the hard work and donated time of its management team and developers.  OpenSSL is an implementation of the SSL and TLS protocols. The core library is written in the C programming language and implements the basic cryptographic functions and provides various utility functions.  Versions are available for most Unix-like operating systems (including Solaris, Linux, Mac OS X and the various open source BSD operating systems), OpenVMS and Microsoft Windows.

What does Heartbleed do?

When you are on a website and you see a little padlock closed on the lower right hand bottom area….this tells you the sight is SSL encrypted.  Heartbleed takes advantage of a “vulnerability that has existed within OpenSSL….and this vulnerability has been around for about two years.  So for that time users assumed they were protected, but were not.  It is apparently under discussion currently as to whether it affects just websites or maybe also internet devices.  Smartphones, home routers, tablets and laptops.  Most of these devices actually come with OpenSSL installed on them.

Exactly who is affected?

Google has announced they were indeed vulnerable but have patched the problem.  Facebook, the largest social network also said they were affected but, like Google has since patched the vulnerability.  Yahoo admitted vulnerability and has started to patch the problem.  Twitter has reported it is not affected.  There are various websites and tools that help people figure out if the websites they use are “currently” vulnerable.  I have linked to quite a few of these websites and such in our shownotes.

So what do I do?

First and foremost, you need to change your passwords.  If you have shopped online, filled out child school forms online, done online banking or shared healthcare information online, you may be vulnerable.  You will need to change all of your passwords.  Sure, you can utilize one of the tools and/or websites to find out if companies you use have vulnerable websites.

However……..yes, there always seems to be a however, doesn’t there??  I agree with many analysts who are saying the bigger issue here involves people who use the same password for multiple accounts.  For instance, they might use the same password to get into their Facebook account as they do for the company email or an online banking site.

Ok, a raise of hands here…..does anybody know someone like that?  You see, I’m trying to deflect the fact that by far, most of you do that.  It is true that when you use the same password for all of your accounts actually improves the carbon footprint of the crooks that are stealing you data and identity………but we aren’t supposed to care about that.  Folks, it’s called security.  Not INsecurity.  Security is supposed to give you some protection against the evil doers of the world.  And in this case security comes in the form of “good passwords”.

Last week I had more than one person come up to me and ask about passwords.  They probably heard on TV that they were going to have to change all of their passwords and they probably didn’t hear the whole story as to why.   One person told me there was no way she was going to change ALL her passwords.  “They can’t make me do that”, she said.  Actually they can at work I told her.  Why do we all not care because “it’s too much work”.  You will carry around a million keys on your keychain but make NO effort to maintain more than one password.  Because you may forget it???  Really is that it???  I guess you are the only one that can attach value to your data and identity.

 Articles, Links and Tools
This article has an excellent graphic that will help you understand Heartbleed.   Heartbleed:  How it Works, by Neil J. Rubenking, PCMag.com, April 10, 2014.

Beware of Fraudulent Heartbleed Password Reset Emails, by Fahmida Y. Rashid, PCMag.com, April 11, 2014.

Heartbleed Bug Health Report

Chromebleed alerts sites vulnerable to heartbleed, by Matt Elliott, c/net.com, April 17, 2014

Heartbleed bug:  Check which sites have been patched, by Jason Cipriani, c/net.com, April 9, 2014


Tools/Links that will test vulnerability
This website lists a number of sites that are vulnerable to attack.  LastPass:  The Last Password You’ll Ever Need

Trend Micro offers this tool which will scan your mobile device for vulnerability.  Available (at least) on Google Play.

All the passwords you should change because of Heartland, in one handy graphic