Friday, April 18, 2014

Heartbleed: Are you bleeding out?

So you have heard about the Heartbleed bug that is affecting the Internet, but what is it really and what does it mean to you? Should you really be concerned?

Some reports say that it is the worst bug discovered on the Internet so far and others seem to brush it off as just another tech mumbo jumbo.  But I'm betting that you'd like someone to explain it so you know what the heck this thing is and if you really should be concerned, right? Well, as your Nerd friend, let me say that you need to be a little concerned about all this and here is why.

What this whole thing is about is allowing someone, who is not you, to snoop, or "read", your secure Internet communications.  Let's see if I can explain; let's say you log into to do a bit of shopping. You find the items you want to buy and add them to your card. You then go to your shopping cart to check out. Now you notice the little green pad Lock up in the address bar (if you're using Chrome, otherwise it might be elsewhere depending on your browser). This means that you have a secure connection with the Amazon server, i.e. Only you and the Amazon server can read the communication between the two of you. This is because there is an SSL, or Secure Socket Layer, connection between your browser and the server. Think of it as a pipe, an encrypted pipe, between your browser and the server. Anyone trying to intercept and read messages sent along this secure pipe only can see garbley gook because everything inside it is encrypted.

Now, this connection is kept alive with what is known as a heartbeat message. The purpose of the heartbeat message is to tell each side that the other is still there and not to close the connection. This Heartbleed bug allows someone outside the pipe to intercept this heartbeat message and with a slight modification, request the original heartbeat message but also request additional bytes of data from server memory for that connection. This means that anything in memory for that connection could be exposed. That could be the encryption keys or even username & passwords. If the encryption keys are exposed, this is then bad because the attacker could use that information to read all communications in that secure pipe.  

Ok... So what, Right?  You might ask, "How does this effect me? And am I really at risk?"
Well the short answer is: Yes you are at risk. Why? Because over half of the internet, and maybe as much a three quarters (or 75%), might have been at risk of having their secure communications read.  Most small services like eRetailers or online service providers use OpenSSL to secure their sites. But even the big companies like Google, Yahoo, Facebook, and Twitter use OpenSSL and had to take steps to secure against this bug.  The real kicker about this bug is that it was introduced to the internet back in January of 2011, if the reports can be believed.  This means that for about 2 years, anyone that might have known about this bug could have been intercpting all of your secure online communications.  We do know that the NSA was exploiting this bug to spy on all of us.  But what we don't know is who else might have been exploiting it also.

So, what can you do about it? Well, the only real answer is to change your passwords on all affected sites and services.  Now, how do you know if a site was affected or not? Well, the best way is to check their website to see if they mention applying a patch for Heartbleed or reissuing the security certificates for their site. But really the easiest way is to use a tool like the one provided by to check each of the sites you use to see if you need to change your password or not (Click here to find out).

But doing this might seem like a monumental task, especially if you have a lot of sites.  Well, this is yet another reason for using a password manager, or password safe as sometimes termed, to store and manage your passwords.     

This article by  from CNET, entitled: "Beyond Heartbleed: Why you need a password manager", really provides great insight into how to go about cleaning up your accounts after a major internet event like this.  Even if you have been reluctant to try a password manager in the past, the shear effort of remembering all the passwords to each site you need to change can be daunting.  These tools help make that task a little easier.

So, what lessons should we take away from this event?  Well the first is to make sure that you change the passwords for all of you accounts once your service providers have patched their systems.  Then going forward, make sure you change your passwords on a regular basis.  For some of you, that might be every 90 days, as some security professionals suggest.  But for the rest of us, let's try to do better and try to change those passwords at least once a year!