Here we go. Another online security alert, reports of widespread personal information vulnerability, dire warnings, alleged security breaches at the biggest websites around and a general the-sky-is-warning panic by the Media.
It’s all about something called the Heartbleed bug, a wide-reaching security vulnerability in the SSL (Secure Socket Library) computer code used to secure something like 20% – or one in five – of the websites on the Internet. The sites with SSL start with https://, not the normal http://. Not all https:// sites are or were vulnerable. But all sites that were do start with the https:// prefix.
According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”
The problem is, the flaw has been exploitable for at least two years, and it was only discovered Monday. Nobody knows for sure whether hackers have been quietly stealing personal information for months. Some compromised Yahoo! accounts have had passwords lifted, according to reports.
What we do know is this security hole is potentially one of the most serious yet.
This is if you went away on a six month vacation and forgot to lock the back door to your house. If a burglar went tsnooping around and tried it, well, they could take anything because they’d have access.
That’s why so many normally staid security experts are sweating bullets. This security flaw is as big as they get. Tens of thousand of websites who used SSL to handle the user names, passwords, credit card numbers and more of millions of people have been at risk. Their back doors were open.
Codenomicon, a Finnish security firm that was instrumental in discovering the bug, provides this dire account:
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
This isn’t just theoretical. Codenomicon goes on…
“We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”
No you know why they call it the Heartbleed bug. When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
Since Monday, IT security experts have been inoculating their servers and shutting down the hole. They have, in essence, closed and locked the back door. Here’s a list from Mashable that tallies up what big Internet sites have updated and protected themselves. Some were vulnerable. Others not.
But what does that mean to you?
It means you should probably start changing your passwords. But… only if the site has done the update. If the bug hasn’t been fixed, changing your old password to a new password would just result in your new password being susceptible.
How do you know whether you need to do this? The best resource I’ve seen is from the password manager service LastPass. They have a free tool that lets you plug in the SSL sites you use to see if they are vulnerable.
This all points to the need to set strong passwords.
I suggest that when you set a password:
- Is at least eight characters long.
- Does not contain your user name, real name, or company name.
- Does not contain a complete word.
- Is significantly different from previous passwords. Do not use the same password on different sites.
- Contains characters from that mis up alphabet numbers, upper and lower case, numbers and punctuation marks.
How do you keep track of them? With a password manager. Just do a search on the term and you’ll find plenty to choose from/ For the record, I use LastPass.