Dr. Strangebug, or How I Learned to Stop Worrying and Accept Heartbleed

by on ‎04-18-2014 11:38 AM

By Satnam Narang, Symantec Security Response expert.

 

No matter where you went this week, you likely heard about something called Heartbleed. If you happened to be living under a rock (some might say you were better off there), you may not have heard that there was a major vulnerability discovered in OpenSSL, the open source implementation of the protocols used to secure communication over the Internet. The reason it received a lot of attention is because a half a million trusted websites were vulnerable at the time this news first came to light. Does this mean the Internet is broken or is this a teachable moment?Drstrangebugimage.png

 

If you’re still wondering why it’s being called “Heartbleed” that’s because it was coined by one of the researchers that discovered the bug in the Heartbeat extension of the security protocols. If an attacker targets this bug in vulnerable services, those services could bleed (leak) sensitive information, such as usernames, passwords and potentially more.

 

No, the Internet is not broken


Many publications said the Internet was broken and that users would be best served to stay away for a few days as various services scrambled to address this issue. Naturally, this led to many users wondering if they should panic. To be clear – this is certainly a major issue and one that warrants this kind of attention. This is particularly for the vendors or service operators, but it’s important for users to be aware of the issue (and not panic!)

 

When my uncle had a heart attack over a decade ago, he referred to it as a wake up call. One could say that this event is its own wake up call. Not just for the services that are vulnerable, but to you, the end user. After his heart attack, my uncle reflected on his eating and exercise habits along with other areas that affected his health. Since then, he makes a conscious decision to exercise more and thinks twice about what he eats every day.

 

Yes, you should take this seriously

 

Just like my uncle, I think it’s time to reflect on some of our online habits. I ask you, reader: How many of you have not changed your passwords since you first signed up for a service? And how many of you reuse passwords across different websites? I imagine many of you would say yes to at least one of those questions.

 

Yes, proceed with caution

 

Before you go off and change your passwords en masse, you should know that doing so doesn’t guarantee that your password is safe. That is because the services you use that may still be vulnerable and need to fix this issue on their end first. Mashable has put together a list of sites indicating whether or not they were affected by Heartbleed.

 

In the coming days and weeks ahead, affected services you use will likely inform you that they have fixed things on their end and address any concerns you might have. They may also ask you to change your password and you should keep an eye out for those instructions when you receive them, but be careful when you do. Attackers are beginning to see this as an opportunity to send phishing emails pretending to be a service you use in an attempt to steal your password. If you do receive an email informing you to change your password, play it safe and visit the website directly instead of clicking on a link in an email.

 

Looking ahead

 

A lesson lived is a lesson learned. Those common pieces of advice you may have read on security blogs and websites before?  Now is a good time to consider taking that advice to heart.

 

  • Start using a password vault to store your passwords:  You will find many solutions out there, including our own Norton Identity Safe as well as LastPass, 1Password and KeePass.
  • Create stronger passwords (or passphrases): Some of the password vaults mentioned above can generate secure passwords for you in addition to safely storing them.
  • Do not reuse your passwords across multiple websites: We have seen examples where passwords that were breached on one site were used to successfully login to a site that wasn’t breached because of password reuse.
  • Enable two-factor/step authentication on websites that offer it: Various websites and services you use offer something called two-factor (or two step) authentication. This adds an extra layer of security to your account by requiring you to provide something you know (your password) and something you have (your phone). After you enter your password, you will receive a code on your phone (in a text message or a token generator), and only after you enter this code will you be able to login to the website.

Comments
by Carol_in_FL on ‎04-21-2014 07:02 PM

Are you saying here that if I did use Identity Safe (a password vault) it's not necessary to now change my (probably 200 passwords) and logins for web sites that admit (and then correct for) the "Heartbleed" problem?? I can see this is going to be a BIG PROBLEM because I don't think the sites that were vulnerable (and probably hacked) are going to admit this and tell their millions of users to change their logins because it makes them look really BAD. Yahoo is a case in point. Supposedly they were vulnerable and according to some test program I ran from McAffee now they're not, BUT I HAVEN'T GOTTEN AN EMAIL TO CHANGE MY LOGIN.

 

Now I just went to Yahoo and typed in "heartbleed and Yahoo". Apparently they are recommending you do change your login and use a new 20 character Password -- Wow! I've got some work ahead of me. They apparently fixed the heartbleed on April 9th. And like I said -- I only use Yahoo for email -- and no "heartbleed" password reset email was sent. Here's the link for the Yahoo recommendations --

 

http://news.yahoo.com/yahoo-mail-heartbleed-secure-account-124041336.html;_ylt=AwrSbmYWy1VTPmIAMNhXN...

 

But my question still stands, if I used Identity Safe for the majority of my logins, DO I HAVE TO CHANGE ANY LOGINS FOR "HEARTBLEED"?

by on ‎04-22-2014 03:19 PM
From Satnam Narang: Heartbleed is the wakeup call to take your password security safety more seriously. This is a time for reviewing current practices (are you reusing passwords? Have you changed a password since you first created an account?) Most people can't remember 200 passwords in their head, so they reuse passwords or make small variations. Using Identity Safe/LastPass etc. allows you to not only store those passwords somewhere safe but also helps you create passwords that are stronger (generated by the apps themselves). 
 
"if I used Identity Safe for the majority of my logins, DO I HAVE TO CHANGE ANY LOGINS FOR "HEARTBLEED"?"
 
If you receive a notice from one of the services that was affected by Heartbleed and they tell you that they've updated their infrastructure (upgraded OpenSSL, etcetera) and advise you to change your password, you should do so. But be careful that these emails aren't carefully crafted phishing emails. If you do get a notice via email, don't click on the link in the email – go to the website directly and change your password that way. Otherwise, changing your password without knowing if the service/company affected actually made any changes on their end (upgraded OpenSSL, revoked certificates, etcetera) is futile because until those steps are taken, your information could still be at risk.
 
Norton Identify Safe is a tool to help you save your passwords so you don't have to remember all of them. Don't reuse passwords and make sure your passwords are strong. Use a password generator (https://identitysafe.norton.com/password-generator) to help you create passwords that are complex and difficult to crack or guess.