Friday, April 11, 2014

What do you need to know about the Heartbleed security vulnerability?

Simon Budgen at OpenLearn asked yesterday if I could offer some ordinary-mortal-interpretable thoughts on the Heartbleed OpenSSL security earthquake.

I offered Simon the rambling steam of consciousness below which he kindly edited into a more ordered Q&A here.
There is a lot of panic, misreporting and bad advice going round about Heartbleed as you say. Though there are a few key things it is worth making sure get included in any article.

Include the Heartbleed link http://heartbleed.com/ which outlines  the problem -

" The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

That's about as bad as it gets security wise. Security expert Bruce Schneier has described it as “catastrophic” and I wouldn’t disagree with that.

The OpenSSL bug has compromised half a million plus sites from what we're able to tell.

Ordinary internet users should change their passwords on sites affected but generally only after - the companies running the websites concerned have done a security audit to check if they are affected, patched their systems if they are, acquired a new public/private key pair and new SSL certificate, tested the patched systems, informed the user they have done all this and determined the system to be secure (and preferably pro-actively changed passwords that might have been affected). Now the news on the bug is out credible commercial entities are keen to do this in double quick time and many have already done so.

It’s not the best advice to change your password before a website has been patched as that might expose your details to a higher risk of being compromised and will certainly expose your new details/passwords. Some mainstream news media are informing people they should change all passwords immediately – not great advice if it leads you to assume your new credentials are safe when in fact they won’t be, if the site has not been patched yet. People should check with or have confirmation from the company or an independent trustworthy source that they have fixed their systems first. (Though if someone with existing compromised credentials chooses to use those for nefarious ends, in the window between now and the site being patched, then there may be a slight preference in favour of changing passwords temporarily and then changing again once the fix is done. None of this is really straightforward unfortunately).

All the usual advice about choosing strong passwords applies – change them regularly, don’t use the same ones on different sites, don’t use dictionary words or names, make them long, include upper and lower case, numbers and symbols.

If there are several layers of authentication use them for stronger security e.g. pin numbers, passwords, tokens etc.

It may be the time now people begin to realise how many passwords they are actually using, to consider investing in a password manager like LastPass, SplashID or Password Genie – software which does all the heavy lifting on choosing long difficult passwords and managing and “remembering” them for you.

Also note since the bug has been around for a couple of years that it is almost certain that a multitude of organised crime gangs will likely have gathered the encryption keys to all compromised sites, as will intelligence and security services like the NSA and GCHQ. Just to be clear on this – the usernames and passwords used on these sites will likely be in the hands of organised criminal gangs and intelligence services.

The other big issue for ordinary users is to find out exactly what sites have been compromised and where and when they need to go about changing passwords. Various news sites are providing lists of affected sites and those that have been patched but you need to choose your sources of information carefully. Mainstream news sites are not always the best guide. We do know the big guys like Google, Facebook and Yahoo! were compromised and appear to be patched. Apple and eBay we’re not sure, Tumblr yes, big banks apparently not (but don’t quote me on that), Linkedin apparently not, Amazon no, though Amazon cloud services yes. It’s basically taking quite some sorting out.

There are sites that enable you to test whether a service you use has been compromised by Heartbleed eg http://filippo.io/Heartbleed/ or https://www.ssllabs.com/ssltest/ Just enter the url you are concerned about and click the Go!/Submit button. These are not 100% reliable and will generate false positives (alerts on sites that are patched) and occasionally false negatives (giving the all clear to insecure sites). Do be a little careful with these too as there will be false test sites which attempt to mislead people about the security of sites which remain compromised.

If people have not heard from the sites they use, they should actively contact them to ask – if they have done the requisite Heartbleed related security audit, if they have been compromised and if they have patched any vulnerabilities; and don’t stop asking until a definitive answer is forthcoming. Then if necessary change their passwords once the fix is implemented.

Hope that gives you something to start with.
Comments welcome here or over at OpenLearn.

No comments: