Heartbleed Bug Demonstrates Deep Vulnerabilities of the Web

shutterstock_68921602 Heartbleed Bug

If you haven’t yet heard, a massive vulnerability in a key piece of security software was announced this week. Researchers call it the Heartbleed bug.

Simply put, it is not your fault. Web servers at banks, airlines, and shopping sites use a type of encryption called Secure Sockets Layer or SSL. Your browser will display a lock icon in the address bar and maybe even change colors to green demonstrating you have a secure connection. Many websites use a piece of Open Source software, meaning nobody owns it and everyone can see the code, called OpenSSL.

OpenSSL is where the vulnerability was found. The problem is that 2/3 of all internet sites using SSL to secure the communication between your browser and their server use OpenSSL.

Why is that a problem? This bug means hackers can intercept what is supposed to be encrypted information between your browser and the bank’s server. In other words, what is supposed to be unreadable is readily readable to criminals.

And it gets worse.

In the past 24 hours or so word has leaked out that the core equipment used for the internet itself and most corporate networks has this bug too.  According to Network World, Cisco and Juniper routers are affected.

This is where it gets really ugly.

Fixing the OpenSSL bug on a website is relatively easy and the majority of websites have already put in the patches. Tracking down every router, taking it offline, and installing patches from the vendors is a very time consuming and difficult process that might take months.

Initially I wasn’t too concerned about you and me. This latest round of news truly has me worried and you need to take action now.

I am now suggesting to you and everyone you know that you take the time to change your password on every bank, shopping, travel, etc. website where you transact business with username/password and/or credit card information.

And then do it again in a week and then again in a month.

Too difficult to remember all of your passwords? There are tools to help you besides sticky notes on the side of your monitor.

Protect your passwords using software like Password Safe1Password, or pwSafe. Those applications are a securely encrypted safe in which to store all of your passwords. Use the random password generator in the software for creating your passwords.

When you use software like those three, use an entire password phrase as the master password. Something you can remember like the old “The quick brown fox jumps over the lazy dog”, but make sure to use spaces and capital letters, even use the quotation marks if you’d like.

Here are some basic rules:
•        Always use a password, never let a password be blank
•        Always change a password immediately after receiving one that was given to you
•        Use as many characters as possible when creating a password, don’t just use eight use 16 or 20 or more
•        Use different passwords everywhere, at least for sensitive information like banks or anywhere they might store your credit card information

UPDATE 4/12/14 11:30 PDT – McAfee has a handy tool for testing websites for the Heartbleed vulnerability. You can use it to test a site you might visit BEFORE you go to the website. Click HERE for McAfee’s tool

Interview With Glen Biegel on KBYR AM 700 July 2 2013

Ethan BearmanToday on the Glen Biegel Show, KBYR AM 700, Anchorage, Alaska, we joked about mosquitoes, discussed gigabit Wi-fi, complexity of computers and their code, and wearable technology. Check out my geeky side by clicking the link below!

Glen Biegel Interview July 2, 2013

 

Change Your Passwords Now

ChangePasswordsNowSince the first computer virus was created in 1982, everyone who uses a computer has needed to take precautions to safeguard data and sensitive personal information.

Endless streams of stories about hacks of government sites, the Federal Reserve, major industries, and both large and small banks should all keep you on edge. Websites you use like Facebook, LinkedIn, eHarmony, and last.fm have all suffered from attacks which potentially stole your passwords.

These are just the latest in a long history of sites being attacked and passwords compromised.

Those attacks are not all. Your friends on Facebook start posting weird messages due to their account being compromised, you find out that another friend has been abducted in London and needs money wired, that the UN has millions of dollars waiting and you could be of help and get a percentage, or you get another email from your “bank” asking for personal information.

You can never let your guard down or you too could be taken.

Change your passwords right now. It is likely that you have not changed them in a long time, you use a weak password, or a combination of the two.

Too difficult to remember all of your passwords? There are tools to help you besides sticky notes on the side of your monitor.

Protect your passwords using software like Password Safe1Password, or Password Gorilla. Those applications are a securely encrypted safe in which to store all of your passwords. Use the random password generator in the software for creating your passwords.

When you use software like those three, use an entire password phrase as the master password. Something you can remember like the old “The quick brown fox jumps over the lazy dog”, but make sure to use spaces and capital letters, even use the quotation marks if you’d like.

In all applications and all websites always use a password, never use a default password, the longer the password the better, don’t use the same password in multiple sensitive places, and protect your passwords.

Here are some basic rules:
•        Always use a password, never let a password be blank
•        Always change a password immediately after receiving one that was given to you
•        Use as many characters as possible when creating a password, don’t just use eight use 16 or 20 or more
•        Use different passwords everywhere, at least for sensitive information like banks or anywhere they might store your credit card information

Since email and HTML (the language of the web) were created prior to the commercialization of the Internet, security was not a primary concern. As a result spoofing and phishing are possible. Phishing emails are the number one source of hackers getting your personal information and making your computer part of a zombie botnet. Spoofing is when an email appears to come from a source other than the true source.

The most common spoofing and phishing attacks are fake emails from a bank, the IRS, or the Social Security Administration. These emails are made to look identical to one from the bank and if you click the link in the email, it will take you to a website that looks just like the bank as well. But beware, look carefully in the address bar of your web browser, it will not actually be bankofamerica.com (for example). The criminals ask for your personal information and then use it to steal from you and the bank.

Here are a few other basic security principles:
•        Never directly click a link in an email message, always copy and paste or type the address
•        Do not download a file from a website or an email message unless you are 100% sure of the source
•        Do not buy software from a questionable source as it may contain a virus, worm, or spyware

The moral of the story is to trust but always verify and to change your passwords regularly. Go forth, be safe, and enjoy the world of technology.