Like clockwork or, dare I say, the regular beat of a heart, I am again fielding calls from friends and associates on what to do in response to the latest global threat to information security. This time the web page encryption software bug called, “Heartbleed.” My response is not groundbreaking nor is it as resigned at the response I am generally seeing in the news: “Well, there is not a lot you can do.” My response is that people do what they should have been doing all along: not relying on any one tool to safeguard your information and most definitely not relying solely on any company or government entity to protect your information. My colleague, Ron Raether, has similarly commented publicly.
For starters, Heartbleed is a security bug, or vulnerability, in the open-source OpenSSL encryption software code used to encrypt sensitive information on websites via the Transport Layer Security (TLS). The actual vulnerability is a missing "bounds check" in the handling of the TLS heartbeat extension. More to the point, the vulnerability may allow someone to access your sensitive information from an affected server. In effect, this security flaw renders useless the advice we always give about “looking for the lock,” or seeking “https” in the URL lookup to confirm a web page is encrypted before entering sensitive information has, in reality and to some degree, useless. Well, at least until the patch released on April 7, 2014, is applied to the website. It's useless because of the way https encryption software works, meaning it can be tricked into giving out more information than it should, or doing so without encryption in place. Thus, information entered into these seemingly safe sites could wind up unencrypted and vulnerable to view or theft by the bad guys.
Now, I said “vulnerable,” as it is not a given that any such information you may have entered has indeed been viewed or taken. It just means the information is exposed to such attacks, if made. With Heartbleed, then, as is often the case, sometimes the threat to information security comes not from a hacker in a “black hat” but rather from well-intentioned but (rather humanly) imperfect “white hat” code writer seeking to protect against black hat hackers in the first place. Interestingly, it seems as if there was no ill-will behind the encryption flaw to begin with. As we have written about before, often, if not the majority of the time, the greatest security risks come from “friendly fire” (internal sources).
This begs the question: what do I need to do to be protected? Looking at the pervasive effect of this flaw – some of the most popular websites as well as servers, routers, phones and video cameras have all been afflicted – it's going to take some time before the assessments are completed. In the interim, however, while patches are being developed and pushed out, consumers must maintain (if not enhance) their net-vigilance.
It's always a good idea for users to change passwords when a vulnerability, such as Heartbleed, is lurking in the waters. However, in this particular instance, it may be worth determining if the site has fixed the problem, or never had to in the first place, before you change your password. If you change it before the problem is fixed, you could end up re-exposed and need to change your password again. When it comes time to change your passwords, keep these tips in mind:
These are the basics of information security and do not comprise a complete list, but they are a good start. Though nothing is ground-breaking here, implementing steps likes these will provide layers of protection for your sensitive information online before and after an attack. Remember, it is never IF, but WHEN you have a security issue. Heartbleed may indeed be the most widespread and with the greatest reach. However, in the end, it is just the latest.