What To Do in the Wake of the Heartbleed Bug
While Web sites scramble to patch the vulnerability, it's time to change your online passwords.
This week's disclosure of the Heartbleed bug, a flaw in the OpenSSL open source encryption toolkit that potentially allows for the unrestricted access to server memory, is an incredibly big deal. For the past two years, much of our private online data -- including passwords, credit card information, billing addresses and user names -- stored on some of the biggest Web sites out there could have been accessed by strangers with a little Web know-how.
"Heartbleed is like finding a faulty car part used in nearly every make and model, but you can't recall the Internet and all the data you put out on it," said Jonathan Sander, strategy and research officer at security firm STEALTHbits Technologies, in an e-mailed statement. "Having common technology is typically viewed as a good thing. But it can also lead to assumptions. People assume the parts they use are safe if everyone uses them. If deep testing isn't being done by the good guys to make sure those parts stay safe over time, then you can be sure the bad guys will find the faults first."
The problem is that we don't know if the bad guys have found the faults first (the safe money is on "yes"). Due to the nature of the vulnerability, an attacker could have constantly leveraged the vulnerability millions of times over in the last two years on a single server, and we would have no clue. As is standard with any information breach, monitoring your online accounts, including financial statements, for any suspicious activity is the only way to be sure whether or not you're an online victim.
While it's easy to advise users to keep an eye out on their online accounts and data, the Heartbleed bug is present in millions of major Web sites and Web services due OpenSSL being the default Secure Sockets Layer/Transport Layer Security (SSL/TLS) for the Apache and NGINX Web servers. Those affected include the heavy hitters like Google, Yahoo, Netflix, Facebook, Instagram, Twitter and PayPal.
(It's worth noting that Microsoft's online services, including Microsoft Azure, are not affected by the Heartbleed bug due to the company going with its own encryption component called Secure Channel over OpenSSL.)
The security industry was quick to react and shortly after Monday night's disclosure of the bug, patches for the vulnerable versions of OpenSSL started to roll out. While this doesn't reverse the two years of potential access to our online data and the information that might have been swiped, it does stop the bleeding. It's now up to online Web sites and service providers to patch their Web servers.
As expected, many of the big names were quick to get their systems patched and get the word out that it's safe to use their services. As of midday on Wednesday, Google announced that it had updated many of its services. "We've assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine," said Matthew O'Connor, Google product manager, in a blog post. "Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services."
Many others have already followed suit, including Instagram, Facebook and Yahoo. Online users can also check to see if sites are safe before visiting through this online Heartbleed test site.
To restore consumer confidence, the big names have mostly all fallen in line. The problem lies now with the smaller sites that may not have the know-how or the manpower to quickly roll out the OpenSSL patches. For those who may still potentially be running vulnerable versions of the encryption tool, Symantec's Dick O'Brien recommends businesses follow these steps:
- Remember that the flaw lies in the OpenSSL library "and not a flaw with SSL/TLS nor certificates issued by Symantec [or other security firms]."
- Those running OpenSSL 1.0.1 through 1.0 will need to update to version 1.0.1g of the software or recompile OpenSSL without the heartbleed extension.
- If there's concern that Web server certificates have been compromised, contact the firm that issued the certificates for replacements.
- "Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory."
End User Actions
"This is probably the worst bug discovered this year. We believed in the security of SSL/TLS, and now discover that it comes with a hole that allows anyone to read our personal information such as passwords, cookies or even server's private keys," said Jiri Sejtko, director of the AVAST Virus Lab, in a blog post. "We, as end users, simply can't do anything, but make sure we are as secure as possible."
And that means it's time to change all your online passwords. Many sites have already taken Symantec's last bit of advice and have instigated password resets for their sites and services. For those that haven't, you may be inclined to go ahead and reset your password on your own. Don't.
The issue is that there still are many who are running the unpatched OpenSSL encryption tool. Changing your password or information on them will change nothing, as your newly changed info is still vulnerable. Security experts recommend completely avoiding sites using the unpatched OpenSSL until the patch has been applied and, once patched, then go ahead and change your passwords.