Diary and notebook of whatever tech problems are irritating me at the moment.

20140411

The Heartbleed Bug and You

TL;DR: Most web sites have been leaking passwords due to a bug for the past two years.  Immediately change your Internet passwords for Email and financial accounts, even if you changed your passwords April 7, 2014 or in the days preceding.  Don't use the same password for all sites because if one is compromised, they all are even if some sites were not affected by the bug.  Use a password manager such as KeePass/KeePassX or Password Safe to keep track of them.  Don't click on links in emails, especially any that seem to come from your bank asking to change your password.  Go to your bank's web site directly by entering the address in your web browser manually.

Verbose Version
You may have seen reports about the Heartbleed Internet bug in the news lately.  Note that the term "bug" doesn't mean malware or a virus, just an unintentional flaw.  This particular bug is a vulnerability in the encryption system used by about 2/3rds of the Internet web sites.  Ignoring the hype, on a scale of 1 (ignore) to 10 (critical) this is an 11.  Read this through entirely before panicking.

The bug allows an attacker to potentially obtain passwords from web sites or the credentials of the web site itself (possibly for creating a fake web site that validates as authentic).  Most web server operators can detect if they have the vulnerablity but not if someone exploited it.  While there are lists of affected sites and test services that can tell if a web site is affected, there are so many that it's best to assume most sites you have passwords on were exploited.  Microsoft's web sites were NOT affected since they have their own encryption system, nor were web sites operating with their software (not that they haven't had many other security problems).  But it's difficult for web users to determine what software a site is using now or what was used previously.  The software you are using on your computer, tablet, or phone doesn't matter since the vulnerability affects the servers you connect to.

What to do?  Immediately change your passwords.  You should change them periodically anyways, at least once a year depending on how complicated and long they are.  Log into your account there and look for a password change option.  Sometimes this option is on the account's "profile" or "preferences" page.

If you change your password on a site that is still affected the benefit will be temporary since an attacker can just obtain it again.  Many of the affected web sites have been fixed in the past two days but even those that were safe at the time the bug was found may have already been exploited if they were vulnerable any time in the past two years when the bug was introduced.

You can expect to start receiving notices from major companies about the need to change your passwords.  Don't wait for them to contact you.  Some web site operators may underestimate the risk or be reluctant to announce it due to liability concerns.

Because of the size of the problem you can also expect fake emails (phishing) prompting you to change your passwords.  These are attempts to get your current passwords.  To avoid being caught by these never click on a link in an email.  Always go to the web site directly by entering the web site address into the web browser's address bar or by searching for the company by name using Google.

I suggest prioritizing password changes as follows.  Some web sites and vendor names are listed as examples but not all of them had the Heartbleed vulnerability.

1. Email (Google/Gmail, Yahoo!).  Do these first since they can be used to reset passwords on most other web site accounts.  If your email provider has other services (Google+, Google Docs, Yahoo! Groups) then changing your email password usually changes it for everything else from them.
Google password change: https://www.google.com/settings/security
Yahoo! password change: https://edit.yahoo.com/config/change_pw

2. Financial (banks, credit unions, investments, IRAs, pensions, PayPal)
3. Government (healthcare.gov, passports, social security, taxes)
4. Password services (a.k.a. "Single Sign-On").  If you are using a service that controls access to multiple web sites (OpenID, Facebook, Google), then change that too since a breach with it can affect multiple sites.  Usually these aren't used for financial and government sites so the potential damage is less but they affect many other web sites.
5. Any site that stores your credit card or financial information (Amazon.com and accounting sites like Mint.com).
6. Vendors (insurance, medical) and utilities (power, phone, Internet) that have your Social Security number or you have set up for automatic bill payments.
7. Any site that makes payments to you (eBay, Etsy, Freelancer.com).
8. Computer remote backup services.  These usually don't have the encryption key for reading the contents of your backup data but someone with your password may be able to delete your backups.  If your encryption key was weak (short and simple), an attacker that obtains your backup data via your password may be able to break the encryption key by trying every possible key combination.
9. File hosting services (Dropbox, MediaFire, Google Drive).  An attacker can install malware within the hosted files and spread it to everyone that accesses them.
10. Social networking sites (Twitter, Linked-In, Reddit, dating) and picture hosting sites (Imgur, Panaramio, Photobucket) are less important but worth changing if you have information on them that you want to keep private.
11. Passwords for blogs and web sites you have made should be changed to prevent them from being used to host malware.

Vendors that don't keep your credit card info (i.e., you have to enter it every time you buy something) are less of a risk but you should consider changing those of vendors you depend on the most and keep an eye on your credit card statements.

Passwords used for starting your computer or unlocking your phone are probably not affected.

Some wireless Internet sharing boxes (routers) you may have in your home or business have built-in web servers for configring them and many are affected by the Heartbleed vulnerability.  Fortunately the configuration web site ususally can't be accessed by people on the Internet unless the device is intentionally configured to allow remote access.  Unfortunately manufacturers aren't likely to fix any that have the problem.

Some security systems and home automation systems also have web access and can be affected.  If you have a system that you can control from a web browser (on your computer or phone), then contact the manufacturer or installer to verify it and get it fixed if necessary.

You should not use the same password for multiple sites.  If one is compromised, then they all are regardless of which has the Heartbleed bug. Create unique passwords for each and use a password manager program to keep track of them.  With a password manager you create a single (preferably long and complicated) master password you can remember.  This is used to encrypt its password list.  You then use the manager to create complicated random passwords for each web site, preferably random letters and numbers at least 12 characters long.  Many web sites accept much longer passwords and typographical characters (@$%*&...) but not all do.  You don't have to remember these, just copy and paste them from the password manager as needed.

Many web browsers also have password managers built-in and prompt you to store passwords when you enter them.  But these password lists are often not well encrypted which makes it easier for an attacker (or other users of your computer) to obtain them.  In addition,  if you decide to change web browsers, these password lists can be difficult to transfer.  Standalone password managers avoid this problem and can also be used for other codes and non-Internet passwords.

Two popular free password managers for desktop and laptop computers are KeePass and Password Safe.   I use KeePassX on Linux and it's installed on every system I build (in the menu: Applications > Accessories > KeePassX).  It's compatible with KeePass on Windows.  It's available in the repositories of most Linux distributions (Ubuntu, Linux Mint, etc.)

Obviously the password manager will now be the center of your Internet life so it's important to make a backup of its password file, perhaps to a Flash "thumb" drive, and keep it in a safe place.  To limit loss in case your computer is burned up in a house fire, keep the backup in a different location like in the house of a relative, your car or a safe deposit box.  And don't forget its master password!

Changing many passwords is a pain but don't ignore this critical security problem.  The damage is already done and all you can do is prevent further damage to your Internet accounts.

You can panic now.

No comments:

About Me

Omnifarious Implementer = I do just about everything. With my usual occupations this means anything an electrical engineer does not feel like doing including PCB design, electronic troubleshooting and repair, part sourcing, inventory control, enclosure machining, label design, PC support, network administration, plant maintenance, janitorial, etc. Non-occupational includes residential plumbing, heating, electrical, farming, automotive and small engine repair. There is plenty more but you get the idea.