Protecting Yourself from Heartbleed

As the Heartbleed crisis settles, many Internet users are wondering what they should do to protect their personal information. Essentially everyone who uses the Internet has been affected, and essentially everyone has had something to say. There’s a lot of information floating around, and a lot of opportunities to get confused. To help resolve this issue, we have provided a few clear-cut tips on handling Heartbleed.

How to Handle Heartbleed

People are worried about passwords. The Heartbleed vulnerability allows attackers to steal passwords from a server’s memory. To resolve this issue, you must first determine whether the website in question is still vulnerable to Heartbleed. You can do this by typing in the website here: http://filippo.io/Heartbleed/. If the website is immune to Heartbleed, you should change your password. If the website is still vulnerable to Heartbleed, you should not change your password. Changing a password on a website that is still vulnerable will not resolve the issue. If you have an account on a website that is still vulnerable to Heartbleed, you should avoid logging on to that account until you know the vulnerability is fixed.

Enable two factor authentication (TFA). This feature makes it so that anyone logging on to one of your accounts from a remote location must supply a password AND a unique code sent to your registered mobile device. Heartbleed may have existed in the wild for two years, but the good news is that any account that had TFA enabled would have been immune – even if the password was compromised. Activating TFA from this point forward is also a proactive way to mitigate future threats.

Watch out for email scams. Cybercriminals are already taking advantage of the Heartbleed pandemonium to try to scam users who are legitimately concerned about their online security. One attempt was caught by a security researcher at SANS. In the coming days, it is likely that many more attempts will follow alongside actual statements from real service providers. To avoid becoming a victim of a phishing scam, it is therefore crucial to treat all requests for a password change with caution. If an email contains a log-in link, don’t click it. Instead, navigate to the website on your own and log-in from there.

What About Private Keys? The Heartbleed vulnerability allows attackers to steal up to 64 kb of memory from a server. This means that whatever is sitting in memory during the time of the attack can be taken by the attacker. This includes the server’s cryptographic private key, the item that allows a web service to access your encrypted data. The most alarming issue concerning Heartbleed is that it existed in the wild for over 2 years, and no one knows whether it was exploited during that time. If it was, that means that an attacker could have stolen a private key and used it to access encrypted data. Unfortunately, the only way to achieve 100% resolution of this issue is for every single service provider who depended on affected versions of OpenSSL for the last two years to get a new private key. Considering 2/3 of Internet was affected by the bug, this will take some time.

Is Heartbleed still a problem? Researchers at the University of Michigan have reported that as of 4:00 PM on April 9^th, 2014 approximately 3.7% of the Alexa Top 1 Million websites were still vulnerable to Heartbleed. All things considered, that’s a pretty impressive response time, made possible by hardworking systems administrators around the world.

The massive scale and scope of Heartbleed has demonstrated that our Internet is far from perfect. Perhaps the most alarming aspect of all of it is that the ubiquitous bug had nothing to do with malware at all. With Heartbleed, cybercriminals don’t need malware – they can simply walk right in, take what they want, and exit without leaving a trace. Heartbleed showed us that even the best locks can be broken, and that an Internet where everyone uses the same, fundamental security system is extremely prone to exploitation, even if it is easier to maintain. For those involved in IT infrastructure, Heartbleed means reassessing Internet security at its core. For the rest of us, the bug suggests that perhaps the most effective approach to Internet security is Internet minimalism: Share only what you’re okay with being shared.

Have a Great (Malware-Free) Day!