'Change every password everywhere': HeartBleed's Threat to Web Security

Apr102014

If you are running OpenSSL on your servers, please make sure to fix the HeartBleed Bug as soon as possible.

As many of you have heard by now, the web has recently been struck by an internet-wide security flaw known as the HeartBleed Bug. HeartBleed affects sites that use Secure Sockets Layer (SSL) encryption. We have put together a quick note about what it is, how to know if you’re at risk, and what to do about it if you are vulnerable.

What to do: First things first: Check to see if your sites, or the sites you use, are vulnerable. You can do this by using the following links: http://filippo.io/Heartbleed/ or https://lastpass.com/heartbleed/.

If your site is flagged as vulnerable, actions need to be taken. Contact your site host, or contact us here at bv02 to get this fixed.

Next: Change all your online passwords (yes, all of them!)

A big cause for concern is related to sites that have your sensitive information. Even if your site hasn’t been flagged as vulnerable, it’s not a bad idea to go-ahead and update all your passwords, especially if you’re someone who likes to use the same password for multiple sites.

SEE ALSO: The HeartBleed Hit List: The Passwords You Need to Change Right Now via Mashable

Now that we have that out of the way… Let’s talk about HeartBleed.

What is it, non-technically:

Is it some sort of virus? No, HeartBleed is the nickname for a pretty nasty bug in OpenSSL. I am sure that sounds familiar right? That’s because OpenSSL is an enormously popular way of keeping your information private on the internet and on web platforms. Millions of websites use OpenSSL to protect your username, password, credit card information, and other private data. Tests in the recent weeks have shown you can access this data completely anonymously with no sign you were ever there.

NOT good news…

Yes, that is more or less the technical assessment of the internet. The good news is that, so far, it doesn’t look like there have been any data breaches. The bad news is that Yahoo! is one of the most vulnerable major sites. Facebook and Google seem OK, but they haven’t committed anything to paper just yet; but the list is being compiled now and we are all watching closely.

Someone explained it like this: it is not a hole in the front door, its more like a key that you left under the mat in front of the door and no one knew it was there until we looked. Now it turns out every house on the street left their key in the exact same hiding place.

What is it, technically:

Lets start with the basics: As you use the web on your own sites, or for other secure transactions, you’ve likely seen a small lock icon next to the URL in your browser and “HTTPS” instead of “HTTP”. This means that the conversation between you and the website is encrypted and secure. The HeartBleed Bug takes advantage of a service of SSL that keeps this secure connection alive, which is called heartbeat. Simply put, heartbeat sends a message to the server reminding it to keep the connection alive. The server then responds confirming the connection and returns the original message.

Where the flaw lies in this exchange is that the length of the message sent is also provided by the sender and is not checked against the actual length of the message. For example, an attacker can send a very short 1 byte message and claim that it is 64 kilobytes. When the server responds the length of the returned message is the length specified by the user. If the length suggested is longer than the actual message (to use the example above, 64 kilobytes instead of 1 byte), the returned message will have a space that’s filled with a small chunk of data next to the 1 byte message in the server’s memory.

This data that is sent back to the attacker can be anything from a timestamp or metadata that is more or less useless, to something more serious, like session information, emails, passwords, or even the SSL encryption key itself, if the hacker is particularly lucky. HeartBleed affects servers using OpenSSL Version 1.0.1 a through f. Version g has this flaw fixed. Versions before 1.0.1 also lack this vulnerability so it’s a rather narrow band of OpenSSL versions that are unsecured.

If you’re not sure what version of OpenSSL you’re using, it’s not a bad idea to contact your provider to find out.

So, how can we stop the leak?

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distributors, appliance vendors, and independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances, and software they use.

What we have been doing about it:

We at bv02 are diligently going through the sites we’ve worked on and are tracking down who is vulnerable and alerting them of the dangers.

Our advice to you, the reader, is to change all of your passwords for websites that might save your personal information, like banking sites, email, Facebook, iTunes, and other important accounts, as these services could be susceptible to this flaw as well.

Here is a link to the known affected platforms you may use everyday: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

What you should be doing about it: If you have specific concerns about how the HeartBleed Bug vulnerability will affect you, please feel free to call us. Our security staff will be happy to address your concerns and advise you on how you can best protect yourself.

CALL: Extension 378
Ottawa: 613.231.2802  | Montréal: 514.667.0802 | Toronto: 647.723.5456 | Regina: 306.992.4426 |  Vancouver: 778.383.7410  or email directly at:security@bv02.com

Looking for more information on the HeartBleed Bug? We’ve complied a list of links below that might answer you questions. Or, if you prefer to talk to someone, feel free to give us a call.

Where to find more information?

This Q&A was published as a follow-up to the OpenSSL advisory, since this vulnerability became public on 7th of April 2014.

The OpenSSL project has made a statement at https://www.openssl.org/news/secadv_20140407.txt. Individual vendors of operating system distributions, affected owners of Internet services, software packages and appliance vendors may issue their own advisories.

More on This Story

Test your site: http://filippo.io/Heartbleed/
Passwords you should change: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
A video explanation of HeartBleed: http://vimeo.com/91425662
Announcement and explanation of HeartBleed: http://heartbleed.com/

The Heartbleed Hit List: The Passwords You Need to Change Right Now http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Video: http://techcrunch.com/2014/04/08/what-is-heartbleed-the-video/

Related Internet links

Skip to sharing