For Your Immediate Attention: Heartbleed - wha... - CLL Support

CLL Support

23,324 members40,026 posts

For Your Immediate Attention: Heartbleed - what you should do to stay safe from this major online security flaw

AussieNeil profile image
AussieNeilPartnerAdministrator
16 Replies

Must Read:

1) Log out and log back in to any site where you stay logged in

2) Change your Internet passwords as each site informs you that they've fixed this security problem

- Update your HealthUnlocked password NOW - they've patched their servers

3) For at least the next week, keep an eye on any of your sensitive online accounts (banking, webmail) for suspicious activity. (Thanks for that tip, Chris)

4) Further to (2) above, in a few weeks time change your passwords AT LEAST on all sites where you've previously provided sensitive information if you haven't had a reminder to do this. I'd mark this on your calendar to do in early May.

Longer Read:

Heartbleed is a catastrophic bug in the security software used by about two thirds of world's Internet servers that generate the web pages you look at every day - including HealthUnlocked. Popular sites such as Yahoo, Imgur, and OKCupid have all been hit by Heartbleed and there will be many many more.

HealthUnlocked set out an urgent email to community administrators at 2:21AM my time, asking us to warn our communities about Heartbleed, so I really appreciate Chris (Cllcanada) letting everyone know about this security risk while I was asleep. HealthUnlocked immediately released the server security patch around 2PM UCT/GMT on Wednesday 9th April and if you were logged into this site then, you would have noticed that you had to log back in. (This forced re-log in was an added security measure by HealthUnlocked to force you to drop the old security connection at risk of being targeted by Heartbleed and reconnect to the patched server.)

Because the flaw is on the server side of the secure connection for websites using rather than the usual , you should

(a) log out then log back in on all websites before doing any security sensitive activities (particularly for financial transaction sites such as banking and internet purchasing) until the relevant servers are patched by the companies concerned.

(b) Change your password on all sites where the site's security is important to you when you are prompted to do so. If you haven't had a prompt by early May, update your password anyway on these sites.

(c) If you use the same password on more than one site, change your passwords so they are all different.

Why (c)? Many websites ask you to use your email address as your username. If you use a common password on multiple sites, all a hacker needs to do is run an automated program to check passwords found via vulnerabilities like Heartbleed with your email address/username on commonly used websites and report when the program gains access to your account!

The software library concerned - openSSL, was patched 2 days ago, but now all the programs using this library will need to apply the patch and companies world wide will then need to install those patched programs on their servers. Full marks to HealthUnlocked for already doing this to maintain the security of information you share with other members in our community.

While the above sounds alarming, the current risk is seen as minimal. However, scripts have already been released on the internet, demonstrating how to attack this vulnerability, so now it is a race between the good and bad, so please take the recommended precautions.

Here's the notification I received from HealthUnlocked:

"A major online security flaw called Heartbleed was recently discovered by a researcher at Google and a Finnish security firm called Codenomicon. Though you may have already heard about it from one of the major news organisations like the NYTimes that have been covering this since last night, we wanted to get in touch with you as well.

This issue is a flaw in OpenSSL, which is the encryption technology that two thirds of the websites, including HealthUnlocked, use. We immediately released a patch to fix this issue and for added measure this morning we logged out every member of HealthUnlocked to make everyone login again.

Though the risk is very minimal, there is a chance that some of your personal information, like your password, in one of your online accounts may have been affected. As a consequence, we strongly recommend that you do the following:

1. log out of websites where you selected 'keep me logged in' & login again

2. update all your passwords

Additionally, though they may have heard about it in the news as well, we recommend that you write a post in your community to inform your members. Feel free to refer to our blog post update in your post if that can help explain what happened to your members as well as the tips about creating a strong password."

Three tips to create a strong password

blog.healthunlocked.com/pos...

More on Heartbleed

Health Unlocked

blog.healthunlocked.com/pos...

The Australian - excellent article

theaustralian.com.au/techno...

Note that Facebook, Google (YouTube, Gmail, etc) and Yahoo (yahoo services, Flickr, Tumblr) are already patched, so you should update your passwords for these sites if you use them.

New York Times article

bits.blogs.nytimes.com/2014...

Yahoo Tech - from Chris's post. A bit more about the techical side of things for those interested.

yahoo.com/tech/heres-what-y...

Note well: You will NOT be protected from Heartbleed even if you have applied all security updates to your operating system and the programs you use on your computer/tablet/smartphone, etc and are using an updated virus protection application. The security vulnerability is on the server end of the connection - not your end.

Neil

The photo accompanying this post shows a sign on a Linear Park in the suburb of Paradise, under which some wag has carefully added 'Lost'. I thought it was somwhat appropriate.

Written by
AussieNeil profile image
AussieNeil
Partner
To view profiles and participate in discussions please or .
Read more about...
16 Replies
Cllcanada profile image
CllcanadaTop Poster CURE Hero

It is NOT just .com sites which are effected...

Here is a major Canadian government website... The Canada Revenue Agency... our version of the IRS... the tax guys...

cra-arc.gc.ca/menu-eng.html

Great Photog Neil... hopefully fixes are applied with some haste and

we will be 'Paradise Regained' :-) or perhaps a 'Fool's Paradise'?

AussieNeil profile image
AussieNeilPartnerAdministrator

Further to Chris's comment about which websites may be affected; any website NOT using a Microsoft web server (and that's about 66% of the world's servers), can be assumed to be vulnerable until patched.

You won't be able to tell from a website address whether a site is safe or not, so just log-out, log-in and change your passwords to be sure (and take the opportunity to make your passwords unique).

Yes, I know that this is going to be a real pain... but when a country like Canada shuts down their tax department's on line services, can YOU afford to be complacent?

Neil

SAMBS profile image
SAMBS in reply toAussieNeil

pain isn't the problem - lack of memory is! You have to log in 1st presumably to be able to change p/w. Stupid though I know this sounds I don't now remember if I had to re-login with Health Unlocked yesterday/today - because I would not have paid that much attention - just done it - my email server makes me do that occasionally anyway. For me now this is just more stress to an already stressful situation!

Cllcanada profile image
CllcanadaTop Poster CURE Hero

Or Apple servers ;-) That is not to say that OSX and iOS7 have not been without security problems...many fixed, Apple serves apparently don't use this version of openSSL.

Kwenda profile image
Kwenda

For the UK view and this includes many useful web page links

bbc.co.uk/news/technology-2...

Dick

Thank you for this Dick.

Wonder how we find out which servers our banks use, as I always use on line banking.

Bubnjay

SAMBS profile image
SAMBS in reply to

I do as well - suggest you just open their website without logging on and see what info is on their front page. Or phone them? My bank has always used 'RAPPORT' for their security but I can't get my head round all this info about heartbled at the moment anyway.

SAMBS profile image
SAMBS

I'm sorry I really just cannot cope with that with memory problems from BI ... I have enough stress already - I use a company called LASTPASS which is supposed to be secure and remembers all my passwords - will I still be safe with lastpass. please do not give me bad news today - not a good time for me.

AussieNeil profile image
AussieNeilPartnerAdministrator in reply toSAMBS

Many of us have memories that aren't as sharp as we'd like. Chemo, fatigue, illness - they all take a toll on your memory. LASTPASS may take the hassle out of remembering multiple passwords, but you'll still need to update sites as they advise you to do so and let LASTPASS remember your new passwords.

Password managers like LASTPASS (and there are many good ones), are a fantastic aid to even people with good memories. Trouble is, you have all your eggs in one basket... Anyway, I'm pleased to hear that LASTPASS is OK; thanks Rob for checking and letting us know.

Neil

SAMBS profile image
SAMBS in reply toAussieNeil

Thanks Neil and everyone else for helpful comments.

Oleboyredw-uk profile image
Oleboyredw-uk

Based on date of article update from BBC on Dick's earlier link

bbc.co.uk/news/technology-2...

This has a list of common sites and their position on if you need to logout/login. Of course, it is not comprehensive, but it hits some that are interesting to many people.

LASTPASS: i do not use such sites and had not heard of this, however I had a look and it seems that their view is they are covered, based on this article on their blog: blog.lastpass.com/2014/04/l...

Some advice: this is my advice, not formal, just my personal view, don't use public wifi to access sensitive websites, unless urgent. If you think about it you don't really need to check your bank accounts every time you stop for a coffee or beer/wine. I'm not saying any of us do, but look around and watch in these places, free internet is damaging the art of conversation!

Rob

AussieNeil profile image
AussieNeilPartnerAdministrator

Latest on Heartbleed:

It is now thought that changing your password before the server is patched won't help you (which makes sense). You need to wait until you get notification that a server has been patched and then change your password. (It doesn't help that companies are generally not saying anything about whether their on line services are at risk.)

Within the IT industry, companies (banks in particular) are getting a great deal of flack for not communicating with their on line customers to advise them whether they are safe or what they should do to minimise their risk of having sensitive information stolen - which makes it very hard for us to do what we can to stay safe. So it seems the best we can do is check informative sites like the BBC technology news site that lists what we should do on commonly used internet sites.

bbc.co.uk/news/technology-2...

I'd also recommend logging out of any site where you've logged in and previously ticked the 'keep me logged in' option. The next time you log into that site, don't tick the 'keep me logged in' option until you are sure the site is safe and THEN change your password.

Be on the lookout for Spam using Heartbleed to try and infect your computer

Sadly, lots of spam messages about Heartbleed are now being used as a mechanism to distribute other malicious code and scams, so be wary of any emails purportedly from your bank, etc. Genuine messages should not have attachments. If links are included in any Heartbleed related emails, check that they are genuine by hovering your mouse pointer over them and reading the true link at the bottom of your screen. (I'd either type in the correct link or use my previously bookmarked link to connect to be really safe.)

Android Tablets and Smart Phones

It's currently believed that Android versions 4.1.0 and 4.1.1 are vulnerable to Heartbleed, although some reports indicate that only 4.1.1 is vulnerable. This could be over a third of Android devices. Hence it would be prudent NOT to use your Android device for secure transactions until you are sure it is safe to do so.

Background - why the name and how the Heartbleed flaw can be used to capture secure information

This security flaw can be used to capture the contents of up to 64k of randomly selected memory on any server using a pre-patched version of openSSL by using a programming flaw in what is termed a heatbeat extension in the SLL code. (Hence the name Heartbleed - the heartbeat extension can be targeted by malware to bleed server memory contents.) (The BBC Technical News articles referenced by Dick and Rob cover this at a high level and are worth reading for those interested.) The attacker doesn't know what will be in that server memory; they could get credit card information, social security numbers, names, addresses, security certificates... but mostly they would expect to get just random 'junk'. Unfortunately, because social security and credit card numbers have a well defined format, it is easy to automate searching through stolen memory chunks for this 'gold' in amongst the 'junk'. If the attacker managed to score a copy of the security certificate which is used by the server to prove to your browser that it can be trusted, that is a very serious security breach. Companies that have been late patching, are at increased risk of having their server memory scanned in automated attacks.

Neil

AussieNeil profile image
AussieNeilPartnerAdministrator

Here are two sites that list the heartbleed vulnerability of top internet sites and most importantly, tell you the sites where you should change your password. The CNET site, which will be updated, includes the status on the top 100 internet sites.

CNET

cnet.com/how-to/which-sites...

Mashable

mashable.com/2014/04/09/hea...

The LastPass password manager/wallet's security check alert feature also warns you about sites where you need to take action to protect yourself against Heartbleed - even in the free version!

zdnet.com/worried-about-hea...

I don't use LastPass (I'm reluctant to trust all my passwords to a copy kept on a server protected by one password), but the LastPass company bought out another company that developed the excellent X-Marks browser add-on which I do use to synchronise my bookmarks across Firefox (on multiple platforms) and Windows Internet Explorer. Again, it is free for basic use, with the paid product working across phones and tablets.

A comic version of how Heartbleed works, courtesy of XKCD:

xkcd.com/1354/

XKCD's take on how vulnerable we are to Heartbleed:

xkcd.com/1353/

Neil

AussieNeil profile image
AussieNeilPartnerAdministrator

On Tuesday 22nd April, Apple released security updates for Mac, iOS, and AirPort:

zdnet.com/apple-security-up...

Note that the AirPort Base Station uses openSSL and hence has been patched for the Heartbleed vulnerability. Apple also patched their own SSL bug. :)

How is everyone going updating their passwords? I'm making slow progress as I visit sites I haven't been to in a while...

AussieNeil profile image
AussieNeilPartnerAdministrator

For those interested in how the Heartbleed bug happened, here's a good summary:

theconversation.com/how-the...

The flaw was caused by a very common programming oversight in not performing Bounds Checking. Sadly, this flaw has highlighted the inadequacy of one of the key arguments for the superiority of Open Source over Proprietary Source code - that the "Many Eyes" that look at Open Source code will spot such errors...

Neil

AussieNeil profile image
AussieNeilPartnerAdministrator

An update on protecting yourself from Heartbleed: Seems some sites (even financial ones) are slow in patching their sites against the Heartbleed vulnerability. As it isn't much use updating your password until the site has been patched, here's a useful website that can report whether a site you use is still vulnerable:

site24x7.com/check-heartble...

Just enter the site name (e.g. 'healthunlocked.com' for this site) in the Website Name box and the autogenerated number in the Access keyword box, then click on 'Test Now'.

It is important to use the correct prefix ( or ) when testing a site. Even if you initially use to connect to a site, if it resolves to when you've logged in, you should use the address.

Sadly it seems you'll need to keep checking if a vulnerable site you use has been patched as very few seem to be emailing their members advising them to do this...

Here's another list showing the status of some popular sites:

thesecurityblogger.com/?p=4078

On related news, eBay is now advising members to change their password after admitting to the loss of encrypted passwords from their site two months ago...

Not what you're looking for?

You may also like...

Internet Explorer users should switch to another browser - governments recommend

Until Microsoft patches this latest Flash related Internet Explorer vulnerability (that's ALL IE...
AussieNeil profile image
Partner

Is your computer/phone/tablet secure?

The post below recommends techniques to improve your on line security, but that's not much use if...
AussieNeil profile image
Partner

PLEASE do NOT include your email address in posts/replies - use a Private Message to exchange contact details

Given that lately more members are including their email addresses in their submissions, I thought...
AussieNeil profile image
Partner

Introduction of Redirect Notice when you select a link/reference/URL

Some of you may have noticed the above appearing when you select a link (URL). Below, Laura from...
AussieNeil profile image
Partner

Navigating HealthUnlocked

Introduction (For a quick menu summary, page down to HU Menus in a nutshell)...
AussieNeil profile image
Partner

Moderation team

See all
Newdawn profile image
NewdawnAdministrator
CLLerinOz profile image
CLLerinOzAdministrator
AussieNeil profile image
AussieNeilAdministrator

Content on HealthUnlocked does not replace the relationship between you and doctors or other healthcare professionals nor the advice you receive from them.

Never delay seeking advice or dialling emergency services because of something that you have read on HealthUnlocked.