It has been a very hectic couple days since I woke up Tuesday morning to the news about the so-called HeartBleed bug. I spent a good bit of time Tuesday exploring the available information and then creating a program that would do much of the work required to actually fix the problem, and then testing my program. I spent a good deal of Wednesday fixing the problem on the computers for which I have some responsibility.
I have taken a bit of a breather after all that and here is my assessment.
HeartBleed is the most serious bug ever
HeartBleed is a bug that is both dangerous and insidious. If you have a computer that is on the Internet, you must assume that your data has been stolen. Even worse, you have no way to know who has been stealing your data or for how long; this bug opens up your data in such a way that no trace of the crime is left behind.
There is even a web site dedicated to HeartBleed, that provides the gory details about this bug and its effects that is strictly factual and contains none of the hype required by alleged news organizations that are primarily entertainment and not information – infotainment. Unfortunately, in this case, most of the hype seems to be deserved.
What it does
The HeartBleed bug does nothing by itself. It simply provides an open door to crackers (black hat hackers) who use that door to steal personal data. HeartBleed affects the OpenSSL library of security programs that are used by most computer systems. The bug allows access to the memory of the affected server.
When your computer connects to a web site that uses encryption, such as your bank, the OpenSSL code is used for communicating between your computer and the bank’s computer. When there is no activity for a period of time, OpenSSL produces a heartbeat, a simple transmission of a packet of data that says “I am still here” to the server that prevents the server from closing the connection before you are finished with your business and the server responds with a simple acknowledgement of that “ping.”
The crackers can use this by faking a heartbeat signal from your computer. The acknowledgement is sent back to the cracker’s computer and the cracker can then request data from the memory of the server. The memory leaked to the cracker can contain any or all of your personal data stored on that site.
The affected computers are the servers that run most of the websites in the world and that contain your medical, personal and financial data including your social security numbers, banking information and everything else you don’t want the bad guys to have access to.
The worst part is that you do not have to do anything to have your data stolen except to visit a web site you already trust like your bank.
Almost every version of the OpenSSL library has been fixed. And most of the large organizations that have servers, such as banks and other financial institutions, eCommerce websites like, hopefully, Amazon, Google and so on, have already patched their web sites.
The first thing you should do is install the latest updates to your own computer(s) regardless of which operating system you use. If your operating system is too old for new updates, such as Windows 95 or XP, or Fedora Linux 18 or earlier, upgrade your operating system and install all of the current updates. If you need to upgrade your computer in order to upgrade your operating system, then do so.
Second, change all of the passwords you use on web sites. ALL OF THEM! All of your passwords have been compromised. If you continue to use them your data will be stolen.
The real problem is in knowing whether the web sites you use and which have some of your sensitive data have been fixed. By this morning, Thursday, April 10, many have some sort of notice on their login page. In most cases the ones I see seem to say that they never had a problem. But you cannot count on that. Many are ignoring it entirely. Just do the best you can. Change all of your passwords anyway. If you learn later that the web site did not fix the vulnerability until after you had changed your password, change it again.
A few password guidelines:
- Never use the same password on multiple web sites. Thus if one site is compromised, you won’t have to change all of your passwords.
- Use long passwords that are at least 8 characters in length. This makes it much more difficult to guess or crack your password.
- Passwords should contain a combination of lower and upper case letters, numbers, and special characters. This makes it much more difficult to guess or crack your password.
- Never use the same password twice. An old password that was hacked, if used over, can still be used to attack your account.
- Do not use birth dates, Social Security Numbers, pet, friend or spouse names, or dictionary words for your passwords. This will make it much more difficult to social engineer your passwords.
- Change your passwords frequently. At least every 90 days, but once a month is even better. This will limit the time of your vulnerability if a site is compromised.
- Never write down your passwords. Ever.
Good security is hard work
Yes, good security is hard work. That is why companies hire a lot of expensive people to handle it for them. For end users, it also takes time and some creativity to come up with reasonable passwords that are safe but which can also be remembered. It will be frustrating.
Bad security is an even bigger hassle. It can cost you your identity, lots of money and a great deal of time and frustration – far more than good security will cost.