Explainer: What the Heartbleed security bug means for you
As you may have read, a security breach called Heartbleed has affected websites across the Internet. With Modo Member privacy being a top priority, we’re taking this opportunity to inform our membership that Modo’s website and booking site, Engage, are not affected. Our systems are patched to prevent this vulnerability, and we encrypt all member data.
For Modo Members who have questions as to what Heartbleed is and how it could affect other digital profiles they have, we invite you to read this explainer article taken from The Globe and Mail, published Wednesday, April 9 2014, 10:31am EDT, by Shane Dingman.
Internet security experts are scrambling to patch an alarming encryption vulnerability that has exposed millions of passwords and personal information, including credit-card numbers, email accounts and a wide range of online commerce. Called Heartbleed by Finnish security researchers working in California, the vulnerability affects encryption technology called OpenSSL and could allow hackers to decipher encrypted data without website owners or users knowing any information theft had occurred.
How big of a deal is this?
Some reports suggest as many as two-thirds of the sites on the Internet are using OpenSSL, the encryption code that we now know is flawed and vulnerable to so-called Heartbleed attacks.
This is still developing, but here’s a partial list of vulnerable sites:
- Canada’s CRA
- Yahoo (parts of which have been updated)
- and even the FBI.
Facebook, Amazon and Google were affected, but say they have updated systems already. To date, no major Canadian bank has been identified as being at risk.
The Web developer resource Github has been testing sites, here’s a working list of the vulnerable, not vulnerable and no SSL sites:Heartbleed-Masstest. The caveat for this information is that there is no central “is my Internet broken” government agency that can verify these checks; Github’s community of volunteers appears to be our best resource but maybe think of it more like Wikipedia than a peer-reviewed journal.
There are also a few services, such as filippo.io/Heartbleed, that let you test a website domain yourself.
So, I’m supposed to change all my passwords?
That may sound like a good idea… but it won’t do you any good to change a password on a site that hasn’t updated its OpenSSL yet: The new password will be vulnerable too.
As Toronto-based password-managing site 1Password says ”The time to change passwords is after sites patch vulnerability *and* update certificates.”
The smartest thing to do at this point is diversify your passwords, so that if someone hacks your OKCupid account they can’t get into Google with the same password. My rule of thumb is that no site that connects to my credit card shares a password with any other site I use. We just started a series on how to live a more secure digital life and here’s sometotally crucial password advice from Technology reporter Omar El Akkad:
Most people use terrible passwords. There are a number of reasons for this. One is the sheer variety of password-enabled devices we have to deal with every day (how many people still have the default “1234” as the password on their vehicle’s Bluetooth connection?). Another is the fault of certain products and web sites that either don’t care what sort of password you choose, or force you to jump through a bunch of hoops that result in the creation of a convoluted password you end up forgetting a week later. As Randall Munroe notes, the most important determinant of password strength is entropy. Basically, the more stuff there is to guess, the better the password. So choose a long password. And if you don’t think you can remember multiple passwords and don’t want to use a password manager, at least memorize a strong password and use it exclusively for your most important digital transaction. The last thing you want is your banking login compromised because someone hacked into a gaming forum you frequent and stole your password.
Is this a virus?
No. A virus is a piece of malicious code that seeks to infect your computer systems. Heartbleed appears to be a mistake, a flaw in the encryption code that many websites use to protect passwords they ask you to use to log in, as well as other information.
How long has this been going on?
According to the researchers who found the problem – and let’s be clear, this is a gaping hole that words like “flaw, bug and vulnerability” barely describe – the bad code was introduced two years ago. To quote Codenomicon (who found and named Heartbleed): The affected code is called OpenSSL and “is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet.”
Can you geek out for a moment, how does this work?
Let me quote the Globe and Mail’s ops boss Steve Mickeler (Team Lead, Web Operations): “The flaw allows the attacker to access 64kb chunks of memory at a time and can often be used to retrieve the private keys, allowing the attacker to decrypt the SSL session and discover usernames and passwords. It can also be used to perform a man-in-the-middle attack by spoofing the site the user is going to since they now have access to the SSL keys and the client would not deem anything to be suspicious.”
As security expert Raymond Vankrimpen explains in our story about theCRA shutdown: “The Heartbleed vulnerability occurs when OpenSSL is used in combination with a communication protocol called the RFC6520 heartbeat. Such “heartbeats” help a remote user remain in touch after connecting with a website server …
“A small chunk of the server’s memory content, about 64 kilobytes of memory, can leak out with each heartbeat.
“While 64 kilobytes doesn’t represent a large amount of memory content, it is large enough to hold a password or an encryption key, allowing an unscrupulous user to return to exploit the server further.”
It’s also important to note that 64kb is not the limit of leaked information, a potential attacker could collect many “heartbeats” of data.
Again, for even more information, including info on how to fix your site, check Codenomicon’s specialty site: Heartbleed.com.
One piece of good news? The password you use on The Globe and Mail’s website is not vulnerable to the Heartbleed bug (we use a different security protocol, and in places that use OpenSSL we used the older, not broken, version).
Whose fault is this?
Well, it’s hard not to blame this on the OpenSSL Software Foundation and the developers who maintain this code. According to the Wall Street Journal, there are only four staffers to maintain the open-source libraries, and only one is full time.
“There’s no question more effectively applied manpower would be a good thing,” said Steve Marquess, 59 years old, who is the president of the foundation. “Formal code audits would be a good thing.” Indeed.
But we might also blame all those sites who relied on this open standard (which, the WSJ reports, was created in the 1990s) rather than write their own encryption software.