Much has been made recently of a bug in a critical internet security protocol called OpenSSL. The bug, known as Heartbleed, allows hackers to access the memory of a web server and potentially acquire the server’s security key. This would enable hackers to do all sorts of nefarious things to the website itself as well as its’ users. While the worst of the Heartbleed storm passed without incident, it is still important to know what it really meant to internet users and what effect it should have on our habits and how it will affect the internet in the future.
The first thing to understand about Heartbleed is that the potential for disaster was very, very high. OpenSSL, the protocol that Heartbleed affected, is used by a full 2/3 of the top 5000 websites on the internet. Fortunately, it was discovered by the good guys long before the bad guys had a chance to exploit the bug. This means that most of the really important websites were offered the opportunity to patch the vulnerability before the bug was made public. Common sites like Facebook, Twitter, Gmail, banks and such had already been made aware of the exploit and had fixed it before most of us knew it existed. By the time the hacking community was aware of the bug, they weren’t really able to do much with it. However, that didn’t keep them from trying. That brings us to the next important point to understand about Heartbleed.
Many of the World’s top internet security experts analyzed data from thousands of servers and discovered that nearly all of the attempts to take advantage of Heartbleed were made after the bug was made public. Since most of those affected had patched the bug, the exploit returned no information to the hackers. It seems highly unlikely that there are many, if any, hackers that were able to acquire valuable information from the servers they attempted to exploit. So, what if they did manage to use Heartbleed to access a server’s memory? What would they have been able to acquire? Odds are, not much. The way the bug worked, it pulled the data that remained resident on the server’s physical memory and only 64kb at a time. This dramatically reduces the chances that hackers would grab both your user name and/or password.
So does this mean that there is nothing to worry about and to just ignore the Heartbleed hype? Not exactly. The problem is that while it looks as if everything is going to be OK, there are no guarantees. And since the threat of what this bug was capable of or the potential for it to be expanded still exists, it’s best that users take some action. Namely, change your passwords on everything. Obviously, this is a huge pain in the neck. However, this is always a good habit to get into anyway. It’s not a bad idea generally to change all your passwords once a quarter at minimum anyway. If that seems like too much work for you, consider a password manager such as LastPass or KeePass or RoboForm. These servers enable you to store randomly generated, long passwords for all your websites in a secure, encrypted vault that no one (not even the company itself) has access to. You simply enter one password into the service and it will automatically log you in to any password-protected sites you visit. If you want to change your password to any site, the service can do it for you and you still won’t be required to remember it. These services can also work at an enterprises level. This means that employees that need to have access to say, the company Facebook page, will login using their password manager and will never actually know the password. If that employee leaves, you simply deactivate their LastPass or KeePass account and they lose access to all corporate internet accounts.
The important thing to keep in mind with all of this is that there are always going to be vulnerabilities that are exposed. There are also always going to be vulnerabilities that aren’t exposed. The best way to keep yourself safe is to be smart about where you go and what you do when you get there. The same rules always apply: Don’t click links you can’t absolutely trust, and don’t download or open files or attachments you can’t absolutely trust. YOU are the best malware program there is. If you want more information about how you can put the right procedures in place to protect you or your company, feel free to contact us. We’ll be happy to help any way we can.
The first thing to understand about Heartbleed is that the potential for disaster was very, very high. OpenSSL, the protocol that Heartbleed affected, is used by a full 2/3 of the top 5000 websites on the internet. Fortunately, it was discovered by the good guys long before the bad guys had a chance to exploit the bug. This means that most of the really important websites were offered the opportunity to patch the vulnerability before the bug was made public. Common sites like Facebook, Twitter, Gmail, banks and such had already been made aware of the exploit and had fixed it before most of us knew it existed. By the time the hacking community was aware of the bug, they weren’t really able to do much with it. However, that didn’t keep them from trying. That brings us to the next important point to understand about Heartbleed.
Many of the World’s top internet security experts analyzed data from thousands of servers and discovered that nearly all of the attempts to take advantage of Heartbleed were made after the bug was made public. Since most of those affected had patched the bug, the exploit returned no information to the hackers. It seems highly unlikely that there are many, if any, hackers that were able to acquire valuable information from the servers they attempted to exploit. So, what if they did manage to use Heartbleed to access a server’s memory? What would they have been able to acquire? Odds are, not much. The way the bug worked, it pulled the data that remained resident on the server’s physical memory and only 64kb at a time. This dramatically reduces the chances that hackers would grab both your user name and/or password.
So does this mean that there is nothing to worry about and to just ignore the Heartbleed hype? Not exactly. The problem is that while it looks as if everything is going to be OK, there are no guarantees. And since the threat of what this bug was capable of or the potential for it to be expanded still exists, it’s best that users take some action. Namely, change your passwords on everything. Obviously, this is a huge pain in the neck. However, this is always a good habit to get into anyway. It’s not a bad idea generally to change all your passwords once a quarter at minimum anyway. If that seems like too much work for you, consider a password manager such as LastPass or KeePass or RoboForm. These servers enable you to store randomly generated, long passwords for all your websites in a secure, encrypted vault that no one (not even the company itself) has access to. You simply enter one password into the service and it will automatically log you in to any password-protected sites you visit. If you want to change your password to any site, the service can do it for you and you still won’t be required to remember it. These services can also work at an enterprises level. This means that employees that need to have access to say, the company Facebook page, will login using their password manager and will never actually know the password. If that employee leaves, you simply deactivate their LastPass or KeePass account and they lose access to all corporate internet accounts.
The important thing to keep in mind with all of this is that there are always going to be vulnerabilities that are exposed. There are also always going to be vulnerabilities that aren’t exposed. The best way to keep yourself safe is to be smart about where you go and what you do when you get there. The same rules always apply: Don’t click links you can’t absolutely trust, and don’t download or open files or attachments you can’t absolutely trust. YOU are the best malware program there is. If you want more information about how you can put the right procedures in place to protect you or your company, feel free to contact us. We’ll be happy to help any way we can.