Blog | Faruki PLL

Stop the Bleeding: Why Heartbleed is the latest reminder about the basics of information security

Written by Scot Ganow | April 15, 2014

Like clockwork or, dare I say, the regular beat of a heart, I am again fielding calls from friends and associates on what to do in response to the latest global threat to information security.  This time the web page encryption software bug called, “Heartbleed.” My response is not groundbreaking nor is it as resigned at the response I am generally seeing in the news: “Well, there is not a lot you can do.”  My response is that people do what they should have been doing all along:  not relying on any one tool to safeguard your information and most definitely not relying solely on any company or government entity to protect your information. My colleague, Ron Raether, has similarly commented publicly.

For starters, Heartbleed is a security bug, or vulnerability, in the open-source OpenSSL encryption software code used to encrypt sensitive information on websites via the Transport Layer Security (TLS).  The actual vulnerability is a missing "bounds check" in the handling of the TLS heartbeat extension.  More to the point, the vulnerability may allow someone to access your sensitive information from an affected server.  In effect, this security flaw renders useless the advice we always give about “looking for the lock,” or seeking “https” in the URL lookup to confirm a web page is encrypted before entering sensitive information has, in reality and to some degree, useless.  Well, at least until the patch released on April 7, 2014, is applied to the website.  It's useless because of the way https encryption software works, meaning it can be tricked into giving out more information than it should, or doing so without encryption in place. Thus, information entered into these seemingly safe sites could wind up unencrypted and vulnerable to view or theft by the bad guys.

Now, I said “vulnerable,” as it is not a given that any such information you may have entered has indeed been viewed or taken.  It just means the information is exposed to such attacks, if made.  With Heartbleed, then, as is often the case, sometimes the threat to information security comes not from a hacker in a “black hat” but rather from well-intentioned but (rather humanly) imperfect “white hat” code writer seeking to protect against black hat hackers in the first place.  Interestingly, it seems as if there was no ill-will behind the encryption flaw to begin with.  As we have written about before, often, if not the majority of the time, the greatest security risks come from “friendly fire” (internal sources).

This begs the question:  what do I need to do to be protected?  Looking at the pervasive effect of this flaw – some of the most popular websites as well as servers, routers, phones and video cameras have all been afflicted – it's going to take some time before the assessments are completed.  In the interim, however, while patches are being developed and pushed out, consumers must maintain (if not enhance) their net-vigilance.

It's always a good idea for users to change passwords when a vulnerability, such as Heartbleed, is lurking in the waters.  However, in this particular instance, it may be worth determining if the site has fixed the problem, or never had to in the first place, before you change your password.  If you change it before the problem is fixed, you could end up re-exposed and need to change your password again.  When it comes time to change your passwords, keep these tips in mind:

  1. Use unique strong passwords. As always, any account in which sensitive information is stored should be controlled by a unique and strong password.  Strong passwords are no less than eight characters and contain at least one:  lower case letter, upper case letter, number, special character (%$^#!) and should not contain a word found in the dictionary.  And, each password should be different from other website passwords as to not open you to more risk in the event one password is compromised.  To do this, you can simply add a unique character from each web site (“G” for Gmail or “Y” for Yahoo!) to the beginning of your password.
  2. Change passwords regularly. These unique and strong passwords should be changed on a regular basis, or any time there is a known or suspected threat to the integrity of that password.
  3. Monitor sensitive accounts regularly. Now, more than ever, you should be checking sensitive accounts like banking accounts and credit card accounts daily for any irregular or unauthorized activity.  If anything, because it is so easy to do via mobile devices, phone or desktop computers.  With bank accounts pay particular attention for small charges that you do not recognize but are nearby to where you live and work.  To avoid suspicion, hackers will slowly drain an account through small transactions across many accounts.
  4. Report irregularities. If you discover irregular activity, report it immediately to the website on which you see such activity.  Depending on the activity, the web site may be able to take steps to protect or restore your account information and possibly do the same for other account holders.  Additionally, the website company can engage law enforcement to hopefully cut off a larger problem.
  5. Use two-factor authentication. Many web sites, especially financial sites, are moving to two-factor or multiple authentication to verify identities of those seeking to access a web site or network.  For example, one might log into a web site beginning with the entry of a traditional ID and password combination.  But, before providing access with information that may be stolen or known by others, a website may also require the entry of a code that it has sent or otherwise provided the user through a text message, e-mail or even a token.  The user is then prompted to enter that code before gaining access to an account.  Thus, sites that require both the knowledge factor (ID and password) and the possession factor (separate code) provide greater security in view of Heartbleed as the ID and password may be compromised, but the access code sent separately is not.

These are the basics of information security and do not comprise a complete list, but they are a good start.  Though nothing is ground-breaking here, implementing steps likes these will provide layers of protection for your sensitive information online before and after an attack.  Remember, it is never IF, but WHEN you have a security issue.  Heartbleed may indeed be the most widespread and with the greatest reach.  However, in the end, it is just the latest.