Don’t let your #heartbleed over web security

HeartbleedOne word that’s been all over the web this past week is ‘Heartbleed.”

Together with a highly-visible image, it has been the focus of much commentary and opinion, some of it contradictory, some of it confusing.

Heartbleed is a major security vulnerability on the internet, one that I’ve seen described as “11 on a a scale of 1 to 10” where 10 equals ‘catastrophe.’

All of the focus has led to widespread public awareness on an international level of what Heartbleed is,  and why people need to give it their attention. What is hasn’t yet done is lead to widespread public understanding on what is a sensible course of action that individuals and organizations can take to address it.

Some people say you should change all your online passwords to ensure that your access to websites you use that require passwords isn’t compromised. Others disagree.

Heartbleed in RSS feed

With so much FUD out there – you should see the quantity of varied content about Heartbleed in my RSS reader – it’s hard to know in lay terms what you should actually do that will give you confidence that you’ve done the right thing.

Well, there are some simple and rapid first steps you can take.

Regarding places online that you use and that are essential services from your point of view – that might include social networking sites like Twitter, Facebook and LinkedIn; and services like online banking, email and shopping – your first step should be to check with the services concerned to see what they say about Heartbleed.

For instance, LinkedIn – when I visited the website in recent days, I saw a prominent message in a top-of-screen banner that says, in essence, that LinkedIn hasn’t been affected at all by Heartbleed.

LinkedIn Heartbleed banner

I didn’t see any such message in accessing LinkedIn via its Android app, though.

I was reassured to see a clear message about Heartbleed from Lloyds Bank when I logged in to the online banking site on Saturday, saying “we would like to reassure our customers that our online banking systems are not exposed to this vulnerability.”

Lloyds Bank Heartbleed message

That’s precisely the kind of message you want to look for from any service you use online. And proactively so – just like LinkedIn and Lloyds Bank – rather than not knowing and having to ask.

If you use the Google Chrome browser on a Windows computer, you can install the Chromebleed Checker extension that runs in the background checking every website you visit. It displays a warning if a site you’re visiting might be affected by the Heartbleed bug.

Chromebleed Checker alert

Quite disconcerting when an alert does pop up! But it offers no information on what to do or where to get more details or help. Note the “could be vulnerable…” text. And see the mixed reviews.

Still, it may serve a good purpose in bringing the broad issue of security to the closer attention of website users and owners.

As for changing passwords, I think you need to be a bit circumspect. It seems to me that there’s little point in doing a wholesale change-every-password activity unless:

  • you know or feel concerned that you can no longer trust a particular online place,
  • you know for sure that it’s compromised and therefore not safe, or
  • a particular site has told you to change your password.

And consider this – there is no point in changing your password for a site you think might be affected by Heartbleed but you don’t really know for sure as your new password will be just as much at risk as the old one if the site actually is vulnerable but hasn’t fixed the vulnerability yet.

A good start would be listing every service you use online that’s important to you, asking those services about Heartbleed (and searching online for what’s being said about that service in this context), and then making a decision about passwords.

Mashable published a useful list of many social networks and other companies’ sites with information that helped Mashable recommend whether to change your password or not.

mashablelistheartbleed

Mashable’s recommendation for most of the social networks in the list is “change your password!”

Those sites are Facebook, Instagram, Pinterest and Tumblr. Keep an eye on the sites of the services you use to look for news about patches or fixes, as well as their Twitter handles and other social places they also use. And email.

But there’s more.

CNN reports that Heartbleed doesn’t just affect websites, it also has shown up in the devices we use to connect to the internet.

[...] Tech giants Cisco and Juniper have identified about two dozen networking devices affected by Heartbleed, including servers, routers, switches, phones and video cameras used by small and large businesses everywhere. The companies are also reviewing dozens more devices to determine whether they’re impacted by the bug as well.

ZDNet reports that iOS and OS X  - Apple’s operating systems for its mobile devices and computers respectively – don’t have the Heartbleed bug but Blackberry’s BBM for iOS and Android do.

[...] BlackBerry has now confirmed that several of its products, including BBM for iOS and Android were affected by the Heartbleed. BBM has about 80 million users. Other BlackBerry products affected include its rival to Samsung’s Knox, Secure Work Space for iOS and Android, and BlackBerry Link for Windows and Mac OS.

BlackBerry doesn’t have a patch for any of the products yet, but worse yet there are “no mitigations” for the vulnerability in BBM or Secure Work Spaces.

According to ZDNet, Google said that Android 4.1.1, Jelly Bean, was affected by the bug and it was developing a patch and distributing it to Android partners. 

A complex and alarming landscape we find ourselves navigating today with a huge amount of information swirling out there but not enough clarity yet.

Don’t be caught out through not taking some common-sense steps to protect your information (and identity). Make sure you install any software updates or patches for your mobile devices as they become available.

Above all, make sure you have strong and unique passwords for all the important-to-you places you use. Yes, it’s a pain to have to make separate and unique hard-to-remember passwords for every place you use rather than one or a few passwords, named after your cat or your first date, for everything.

Just say to yourself: “Prudence is a virtue.”

And while you’re at it, I strongly suggest you use two-factor authentication wherever it’s available (here’s why).

Additional reading about Heartbleed:

  • The Heartbleed Bug: “The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)…”
  • Here’s everything you need to know about the Heartbleed web security flaw by Mathew Ingram in GigaOm: “Researchers have discovered a serious flaw known as Heartbleed that affects the security software that runs on about two-thirds of the servers on the internet and could expose user data, including passwords…”
  • The Heartbleed Hit List: The Passwords You Need to Change Right Now by the Mashable Team: “An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services – ones you might use every day, like Gmail and Facebook – and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years…”
  • PR pros: Comms response to Heartbleed must be proactive and quick by PR Week US edition: “The Heartbleed computer bug that has left many websites vulnerable and open to data theft this week could affect more than Internet Web servers, according to security experts. Since the encryption flaw surfaced on [April 7], it has affected companies including Amazon.com, Google, and Yahoo…
  • Here’s why it took 2 years for anyone to notice the Heartbleed bug by Timothy B. Lee in Vox: “What caused the Heartbleed Bug that endangered the privacy of millions of web users this week? On one level, it looks like a simple case of human error. A software developer from Germany contributed code to the popular OpenSSL software that made a basic, but easy-to-overlook mistake. The OpenSSL developer who approved the change didn’t notice the issue either, and (if the NSA is telling the truth) neither did anyone else for more than 2 years…”