By now it’s safe to assume that you have at the very least heard the term “Heartbleed.” If you haven’t, have you been…hiding in a cave? Because we live in a world dominated by technology and technological threats you may have heard on your local news about the Heartbleed bug and ignored the threat. I must admit when I first read about the threat I was somewhat concerned but more skeptical about its potential impact that the news and their tech security experts were eloquating. Yes that is a word for those sesquipedalians out there who may doubt my choice in verbiage because most spell checks have a limited vocabulary and will tell you with their uncouth red lines that it is not spelled correctly…the Philistines.
Where was I…ah yes…Heartbleed. My skepticism comes from the numerous threats brought to our attention over the past 20 years that have not brought about the technological Armageddon they promised – beginning with “Y2K.” I also happen to be friends with some of the most intelligent and talented IT you will want to meet, and they have helped me prevent exposure to the threats we have faced.
With that said Heartbleed needs to be taken seriously as a potential dangerous security threat to any of the information you have shared with any company employing the OpenSSL in their servers/sites as part of their business operation. Sounds bad, and it can be. The worst part is there is no way to know the attack has happened. Heartbleed isn’t malware it is a bleeding of random data from memory.
What is Heartbleed?
Technically speaking Heartbleed is “The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.”
In essence Heartbleed is a flaw in a product designated OpenSSL. OpenSSL was created to secure web traffic through encryption. This flaw is based on a “keep-alive” setting which can provide unscrupulous attackers the opportunity and ability to receive unencrypted data (which may or may not be sensitive personal date) from the memory space of a vulnerable OpenSSL server or client. Email, your financial information, passwords, even keys used for private encryption. I think it’s obvious that any one of these scenarios could have disastrous consequences.
What can be done?
Well if you are a company employing the vulnerable Open SSL, Tech Republic’s Jack Wall has a short and logical list of next steps:
- Alert users of the flaw
- Locate the flawed code
- Patch the flawed code
- Test the new code
- Release the patched code
Most, if not all of the companies with the Heartbleed vulnerability have at least done steps 3-5 already.
Here is a short list of companies that are or may be vulnerable:
– Amazon’s Web Services
– Google (this includes gmail & YouTube)
– Yahoo (includes Yahoo mail)
This is by no means a complete list and we encourage you as a consumer to touch base with any company that has sensitive data about you to see if they are indeed dealing with this threat in an efficient manner.
Your next steps are simple. Change all of your passwords. That’s right all of them. As you do this create a hard copy, we used to call this writing it down, but that so 1990s. Write down the name of the account/service/company/app/website. Next write down your user name, the email account you use for this account, as well as the new old and new password. You can also save a document with this information on your computer and try or with a password manager. However, depending on your security (both online and off) there is a risk that someone might somehow get past your security and find this passwords. We would also recommend testing the servers/URLs that you use at this site Heartbleed Test.
Your best bet is to consult with a trusted IT professional who is not only talented and experienced but has a good working knowledge of your situation (i.e. industry, home network, cloud storage). And if you haven’t figured this out yet CHANGE YOUR PASSWORDS! Just want to be clear. This is one of the best safety protocols available and it is free. Regularly change your passwords. Yes it can be a hassle, but nothing compared to identity theft, the loss of financial security, and the profound amount of time and energy it takes to restore (if possible) what has been lost. As always CSI Onsite is available to aid you in with this issue, please contact us if we may be of assistance.