For Your Immediate Attention: Heartbleed - what you should do to stay safe from this major online security flaw

For Your Immediate Attention: Heartbleed - what you should do to  stay safe from this major online security flaw

Must Read:

1) Log out and log back in to any site where you stay logged in

2) Change your Internet passwords as each site informs you that they've fixed this security problem

- Update your HealthUnlocked password NOW - they've patched their servers

3) For at least the next week, keep an eye on any of your sensitive online accounts (banking, webmail) for suspicious activity. (Thanks for that tip, Chris)

4) Further to (2) above, in a few weeks time change your passwords AT LEAST on all sites where you've previously provided sensitive information if you haven't had a reminder to do this. I'd mark this on your calendar to do in early May.

Longer Read:

Heartbleed is a catastrophic bug in the security software used by about two thirds of world's Internet servers that generate the web pages you look at every day - including HealthUnlocked. Popular sites such as Yahoo, Imgur, and OKCupid have all been hit by Heartbleed and there will be many many more.

HealthUnlocked set out an urgent email to community administrators at 2:21AM my time, asking us to warn our communities about Heartbleed, so I really appreciate Chris (Cllcanada) letting everyone know about this security risk while I was asleep. HealthUnlocked immediately released the server security patch around 2PM UCT/GMT on Wednesday 9th April and if you were logged into this site then, you would have noticed that you had to log back in. (This forced re-log in was an added security measure by HealthUnlocked to force you to drop the old security connection at risk of being targeted by Heartbleed and reconnect to the patched server.)

Because the flaw is on the server side of the secure connection for websites using https:// rather than the usual http://, you should

(a) log out then log back in on all websites before doing any security sensitive activities (particularly for financial transaction sites such as banking and internet purchasing) until the relevant servers are patched by the companies concerned.

(b) Change your password on all sites where the site's security is important to you when you are prompted to do so. If you haven't had a prompt by early May, update your password anyway on these sites.

(c) If you use the same password on more than one site, change your passwords so they are all different.

Why (c)? Many websites ask you to use your email address as your username. If you use a common password on multiple sites, all a hacker needs to do is run an automated program to check passwords found via vulnerabilities like Heartbleed with your email address/username on commonly used websites and report when the program gains access to your account!

The software library concerned - openSSL, was patched 2 days ago, but now all the programs using this library will need to apply the patch and companies world wide will then need to install those patched programs on their servers. Full marks to HealthUnlocked for already doing this to maintain the security of information you share with other members in our community.

While the above sounds alarming, the current risk is seen as minimal. However, scripts have already been released on the internet, demonstrating how to attack this vulnerability, so now it is a race between the good and bad, so please take the recommended precautions.

Here's the notification I received from HealthUnlocked:

"A major online security flaw called Heartbleed was recently discovered by a researcher at Google and a Finnish security firm called Codenomicon. Though you may have already heard about it from one of the major news organisations like the NYTimes that have been covering this since last night, we wanted to get in touch with you as well.

This issue is a flaw in OpenSSL, which is the encryption technology that two thirds of the websites, including HealthUnlocked, use. We immediately released a patch to fix this issue and for added measure this morning we logged out every member of HealthUnlocked to make everyone login again.

Though the risk is very minimal, there is a chance that some of your personal information, like your password, in one of your online accounts may have been affected. As a consequence, we strongly recommend that you do the following:

1. log out of websites where you selected 'keep me logged in' & login again

2. update all your passwords

Additionally, though they may have heard about it in the news as well, we recommend that you write a post in your community to inform your members. Feel free to refer to our blog post update in your post if that can help explain what happened to your members as well as the tips about creating a strong password."

Three tips to create a strong password

blog.healthunlocked.com/pos...

More on Heartbleed

Health Unlocked

blog.healthunlocked.com/pos...

The Australian - excellent article

theaustralian.com.au/techno...

Note that Facebook, Google (YouTube, Gmail, etc) and Yahoo (yahoo services, Flickr, Tumblr) are already patched, so you should update your passwords for these sites if you use them.

New York Times article

bits.blogs.nytimes.com/2014...

Yahoo Tech - from Chris's post. A bit more about the techical side of things for those interested.

yahoo.com/tech/heres-what-y...

Note well: You will NOT be protected from Heartbleed even if you have applied all security updates to your operating system and the programs you use on your computer/tablet/smartphone, etc and are using an updated virus protection application. The security vulnerability is on the server end of the connection - not your end.

Neil

The photo accompanying this post shows a sign on a Linear Park in the suburb of Paradise, under which some wag has carefully added 'Lost'. I thought it was somwhat appropriate.

Last edited by

16 Replies

oldestnewest
  • It is NOT just .com sites which are effected...

    Here is a major Canadian government website... The Canada Revenue Agency... our version of the IRS... the tax guys...

    cra-arc.gc.ca/menu-eng.html

    Great Photog Neil... hopefully fixes are applied with some haste and

    we will be 'Paradise Regained' :-) or perhaps a 'Fool's Paradise'?

  • Further to Chris's comment about which websites may be affected; any website NOT using a Microsoft web server (and that's about 66% of the world's servers), can be assumed to be vulnerable until patched.

    You won't be able to tell from a website address whether a site is safe or not, so just log-out, log-in and change your passwords to be sure (and take the opportunity to make your passwords unique).

    Yes, I know that this is going to be a real pain... but when a country like Canada shuts down their tax department's on line services, can YOU afford to be complacent?

    Neil

  • pain isn't the problem - lack of memory is! You have to log in 1st presumably to be able to change p/w. Stupid though I know this sounds I don't now remember if I had to re-login with Health Unlocked yesterday/today - because I would not have paid that much attention - just done it - my email server makes me do that occasionally anyway. For me now this is just more stress to an already stressful situation!

  • Or Apple servers ;-) That is not to say that OSX and iOS7 have not been without security problems...many fixed, Apple serves apparently don't use this version of openSSL.

  • For the UK view and this includes many useful web page links

    bbc.co.uk/news/technology-2...

    Dick

  • Thank you for this Dick.

    Wonder how we find out which servers our banks use, as I always use on line banking.

    Bubnjay

  • I do as well - suggest you just open their website without logging on and see what info is on their front page. Or phone them? My bank has always used 'RAPPORT' for their security but I can't get my head round all this info about heartbled at the moment anyway.

  • I'm sorry I really just cannot cope with that with memory problems from BI ... I have enough stress already - I use a company called LASTPASS which is supposed to be secure and remembers all my passwords - will I still be safe with lastpass. please do not give me bad news today - not a good time for me.

  • Many of us have memories that aren't as sharp as we'd like. Chemo, fatigue, illness - they all take a toll on your memory. LASTPASS may take the hassle out of remembering multiple passwords, but you'll still need to update sites as they advise you to do so and let LASTPASS remember your new passwords.

    Password managers like LASTPASS (and there are many good ones), are a fantastic aid to even people with good memories. Trouble is, you have all your eggs in one basket... Anyway, I'm pleased to hear that LASTPASS is OK; thanks Rob for checking and letting us know.

    Neil

  • Thanks Neil and everyone else for helpful comments.

  • Based on date of article update from BBC on Dick's earlier link

    bbc.co.uk/news/technology-2...

    This has a list of common sites and their position on if you need to logout/login. Of course, it is not comprehensive, but it hits some that are interesting to many people.

    LASTPASS: i do not use such sites and had not heard of this, however I had a look and it seems that their view is they are covered, based on this article on their blog: blog.lastpass.com/2014/04/l...

    Some advice: this is my advice, not formal, just my personal view, don't use public wifi to access sensitive websites, unless urgent. If you think about it you don't really need to check your bank accounts every time you stop for a coffee or beer/wine. I'm not saying any of us do, but look around and watch in these places, free internet is damaging the art of conversation!

    Rob

  • Latest on Heartbleed:

    It is now thought that changing your password before the server is patched won't help you (which makes sense). You need to wait until you get notification that a server has been patched and then change your password. (It doesn't help that companies are generally not saying anything about whether their on line services are at risk.)

    Within the IT industry, companies (banks in particular) are getting a great deal of flack for not communicating with their on line customers to advise them whether they are safe or what they should do to minimise their risk of having sensitive information stolen - which makes it very hard for us to do what we can to stay safe. So it seems the best we can do is check informative sites like the BBC technology news site that lists what we should do on commonly used internet sites.

    bbc.co.uk/news/technology-2...

    I'd also recommend logging out of any site where you've logged in and previously ticked the 'keep me logged in' option. The next time you log into that site, don't tick the 'keep me logged in' option until you are sure the site is safe and THEN change your password.

    Be on the lookout for Spam using Heartbleed to try and infect your computer

    Sadly, lots of spam messages about Heartbleed are now being used as a mechanism to distribute other malicious code and scams, so be wary of any emails purportedly from your bank, etc. Genuine messages should not have attachments. If links are included in any Heartbleed related emails, check that they are genuine by hovering your mouse pointer over them and reading the true link at the bottom of your screen. (I'd either type in the correct link or use my previously bookmarked link to connect to be really safe.)

    Android Tablets and Smart Phones

    It's currently believed that Android versions 4.1.0 and 4.1.1 are vulnerable to Heartbleed, although some reports indicate that only 4.1.1 is vulnerable. This could be over a third of Android devices. Hence it would be prudent NOT to use your Android device for secure transactions until you are sure it is safe to do so.

    Background - why the name and how the Heartbleed flaw can be used to capture secure information

    This security flaw can be used to capture the contents of up to 64k of randomly selected memory on any server using a pre-patched version of openSSL by using a programming flaw in what is termed a heatbeat extension in the SLL code. (Hence the name Heartbleed - the heartbeat extension can be targeted by malware to bleed server memory contents.) (The BBC Technical News articles referenced by Dick and Rob cover this at a high level and are worth reading for those interested.) The attacker doesn't know what will be in that server memory; they could get credit card information, social security numbers, names, addresses, security certificates... but mostly they would expect to get just random 'junk'. Unfortunately, because social security and credit card numbers have a well defined format, it is easy to automate searching through stolen memory chunks for this 'gold' in amongst the 'junk'. If the attacker managed to score a copy of the security certificate which is used by the server to prove to your browser that it can be trusted, that is a very serious security breach. Companies that have been late patching, are at increased risk of having their server memory scanned in automated attacks.

    Neil

  • Here are two sites that list the heartbleed vulnerability of top internet sites and most importantly, tell you the sites where you should change your password. The CNET site, which will be updated, includes the status on the top 100 internet sites.

    CNET

    cnet.com/how-to/which-sites...

    Mashable

    mashable.com/2014/04/09/hea...

    The LastPass password manager/wallet's security check alert feature also warns you about sites where you need to take action to protect yourself against Heartbleed - even in the free version!

    zdnet.com/worried-about-hea...

    I don't use LastPass (I'm reluctant to trust all my passwords to a copy kept on a server protected by one password), but the LastPass company bought out another company that developed the excellent X-Marks browser add-on which I do use to synchronise my bookmarks across Firefox (on multiple platforms) and Windows Internet Explorer. Again, it is free for basic use, with the paid product working across phones and tablets.

    A comic version of how Heartbleed works, courtesy of XKCD:

    xkcd.com/1354/

    XKCD's take on how vulnerable we are to Heartbleed:

    xkcd.com/1353/

    Neil

  • On Tuesday 22nd April, Apple released security updates for Mac, iOS, and AirPort:

    zdnet.com/apple-security-up...

    Note that the AirPort Base Station uses openSSL and hence has been patched for the Heartbleed vulnerability. Apple also patched their own SSL bug. :)

    How is everyone going updating their passwords? I'm making slow progress as I visit sites I haven't been to in a while...

  • For those interested in how the Heartbleed bug happened, here's a good summary:

    theconversation.com/how-the...

    The flaw was caused by a very common programming oversight in not performing Bounds Checking. Sadly, this flaw has highlighted the inadequacy of one of the key arguments for the superiority of Open Source over Proprietary Source code - that the "Many Eyes" that look at Open Source code will spot such errors...

    Neil

  • An update on protecting yourself from Heartbleed: Seems some sites (even financial ones) are slow in patching their sites against the Heartbleed vulnerability. As it isn't much use updating your password until the site has been patched, here's a useful website that can report whether a site you use is still vulnerable:

    site24x7.com/check-heartble...

    Just enter the site name (e.g. 'https://healthunlocked.com' for this site) in the Website Name box and the autogenerated number in the Access keyword box, then click on 'Test Now'.

    It is important to use the correct prefix (https:// or http://) when testing a site. Even if you initially use http:// to connect to a site, if it resolves to https:// when you've logged in, you should use the https:// address.

    Sadly it seems you'll need to keep checking if a vulnerable site you use has been patched as very few seem to be emailing their members advising them to do this...

    Here's another list showing the status of some popular sites:

    thesecurityblogger.com/?p=4078

    On related news, eBay is now advising members to change their password after admitting to the loss of encrypted passwords from their site two months ago...

You may also like...