Heartbleed continues its rampage across the internet. There are too many stories to tell and too little time. Read on only if you have the stomach for it.
- Networking companies Cisco and Juniper have revealed that several dozen models of their hardware devices are affected by the OpenSSL security flaw known as Heartbleed. To see if any of your networking products made this list, Cisco’s advisory can be found here, and Juniper’s here.
- Two sources close to the NSA allege that the spy agency has exploited Heartbleed since it first appeared over 2 years ago.
- Android smartphones and tablets running version 4.1.1 of the Google operating system are vulnerable to the bug. According to Google, this may affect less than 10% of all Android devices, but given that there are nearly 900 million Android OS devices, that still means millions.
- The vulnerability was used to steal 900 taxpayer ID’s from Canada’s Revenue Agency.
What this means for you:
The security implications of the Heartbleed vulnerability are staggering and very difficult to encompass. Now, more than ever, you must keep a close eye on your digital assets and accounts. Confirm with your financial institutions whether or not they were impacted by the bug (most major, commercial banking institutions did NOT use OpenSSL), and if they were, wait until they confirm that they have fixed it before changing your password. Do NOT use any software or websites confirmed to be affected by Heartbleed until they patch the bug, even to change your password. If you do this while the vulnerability still exists, there is a good possibility that hackers can actually see you changing your password and record the new one. Right now, because of the spotlight on this hole, hackers are racing to exploit the panic and confusion, and you are more likely than ever to be hacked. Wait until your websites confirm they have patched the security hole before using them to change your password.
Keep in mind that many, many organizations are still working through the impact this bug has on their technology, and many are just as confused as you might be. There will continue to be a lot of uncertainty and possible panicky responses from company representatives who are ill-informed on their company’s official stance on Heartbleed. The vulnerability affects a technology that is sophisticated and not easily explained, and not even the most eloquent among technology professionals can convey the problem and solutions in easy-to-understand terms. During these uncertain times, constant vigilance is the only weapon many of us have at the moment, so keep your eyes open and your IT consultant on speed-dial!
Researchers from Google and security firm Codenomicon released details yesterday on a staggering security hole in one of the fundamental security technologies used by hundreds of thousands of websites around the world. Dubbed the “Heartbleed Bug”, this vulnerability is found within a code library called OpenSSL – a tool almost universally used in Linux-based webservers, and it may have been in existence for as long as two years before being discovered this past weekend. In a nutshell, this weakness could theoretically allow a hacker to download critical bits of information that are literally the cryptological “keys to the kingdom” of a server affected by this bug. And unfortunately, there is no way to detect an exploit of this vulnerability, nor to determine what, if anything was stolen in the alleged attack.
What this means for you:
You would encounter OpenSSL through the familiar “HTTPS” protocol websites use to transact business online, and sadly, both small and large companies are affected by this bug. (Full Disclosure: C2’s own website had this bug up until late last night when the server was patched). And by large, I mean websites like Yahoo Mail. Essentially, the weakness could allow hackers to scrape a small segment of active, encrypted server memory and read the contents, which could contain just about anything at the time, up to and including passwords or actual cryptographic keys that can be used to decrypt encrypted data sent by the server itself. Alas, because there is no way to tell when or even if a Heartbleed bug exploit is occurring, there’s no way to tell if anyone, or everyone has been compromised in some form by this hole.
Fortunately, the media seems to be grasping the severity of this problem, and has broadcast this story across every website. Unfortunately, this may prove to be a double-edged sword as both server adminstrators and hackers scramble to get to the unprotected server memory first. For any online service you use that utilizes HTTPS or other forms of encryption, you will want to watch for announcements and news from that service: either acknowledging and fixing the bug, or assuring their customers that they are not affected by this weakness. Either way, it’s always a good idea to never use the same password more than once, and to always keep a close eye on your bank accounts and credit history for unusual activity. If you suspect a website may be unaware of this bug, and potentially at risk, send them an email asking about the Heartbleed Bug to make sure they are on top of this very serious issue.