Dr. Strangebug, or How I Learned to Stop Worrying and Accept Heartbleed
By Satnam Narang, Symantec Security Response expert.
No matter where you went this week, you likely heard about something called Heartbleed. If you happened to be living under a rock (some might say you were better off there), you may not have heard that there was a major vulnerability discovered in OpenSSL, the open source implementation of the protocols used to secure communication over the Internet. The reason it received a lot of attention is because a half a million trusted websites were vulnerable at the time this news first came to light. Does this mean the Internet is broken or is this a teachable moment?
If you’re still wondering why it’s being called “Heartbleed” that’s because it was coined by one of the researchers that discovered the bug in the Heartbeat extension of the security protocols. If an attacker targets this bug in vulnerable services, those services could bleed (leak) sensitive information, such as usernames, passwords and potentially more.
No, the Internet is not broken
Many publications said the Internet was broken and that users would be best served to stay away for a few days as various services scrambled to address this issue. Naturally, this led to many users wondering if they should panic. To be clear – this is certainly a major issue and one that warrants this kind of attention. This is particularly for the vendors or service operators, but it’s important for users to be aware of the issue (and not panic!)
When my uncle had a heart attack over a decade ago, he referred to it as a wake up call. One could say that this event is its own wake up call. Not just for the services that are vulnerable, but to you, the end user. After his heart attack, my uncle reflected on his eating and exercise habits along with other areas that affected his health. Since then, he makes a conscious decision to exercise more and thinks twice about what he eats every day.
Yes, you should take this seriously
Just like my uncle, I think it’s time to reflect on some of our online habits. I ask you, reader: How many of you have not changed your passwords since you first signed up for a service? And how many of you reuse passwords across different websites? I imagine many of you would say yes to at least one of those questions.
Yes, proceed with caution
Before you go off and change your passwords en masse, you should know that doing so doesn’t guarantee that your password is safe. That is because the services you use that may still be vulnerable and need to fix this issue on their end first. Mashable has put together a list of sites indicating whether or not they were affected by Heartbleed.
In the coming days and weeks ahead, affected services you use will likely inform you that they have fixed things on their end and address any concerns you might have. They may also ask you to change your password and you should keep an eye out for those instructions when you receive them, but be careful when you do. Attackers are beginning to see this as an opportunity to send phishing emails pretending to be a service you use in an attempt to steal your password. If you do receive an email informing you to change your password, play it safe and visit the website directly instead of clicking on a link in an email.
A lesson lived is a lesson learned. Those common pieces of advice you may have read on security blogs and websites before? Now is a good time to consider taking that advice to heart.
- Start using a password vault to store your passwords: You will find many solutions out there, including our own Norton Identity Safe as well as LastPass, 1Password and KeePass.
- Create stronger passwords (or passphrases): Some of the password vaults mentioned above can generate secure passwords for you in addition to safely storing them.
- Do not reuse your passwords across multiple websites: We have seen examples where passwords that were breached on one site were used to successfully login to a site that wasn’t breached because of password reuse.
- Enable two-factor/step authentication on websites that offer it: Various websites and services you use offer something called two-factor (or two step) authentication. This adds an extra layer of security to your account by requiring you to provide something you know (your password) and something you have (your phone). After you enter your password, you will receive a code on your phone (in a text message or a token generator), and only after you enter this code will you be able to login to the website.