April 10, 2014

In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here’s a short primer.

The Heartbleed bug concerns a security vulnerability in a component of recent versions of OpenSSL, a technology that a huge chunk of the Internet’s Web sites rely upon to secure the traffic, passwords and other sensitive information transmitted to and from users and visitors.

Around the same time that this severe flaw became public knowledge, a tool was released online that allowed anyone on the Internet to force Web site servers that were running vulnerable versions of OpenSSL to dump the most recent chunk of data processed by those servers.

That chunk of data might include usernames and passwords, re-usable browser cookies, or even the site administrator’s credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers. Indeed, I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug.

For this reason, I believe it is a good idea for Internet users to consider changing passwords at least at sites that they visited since this bug became public (Monday morning). But it’s important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords. Here are some resources that can tell you if a site is vulnerable:

http://filippo.io/Heartbleed/

https://www.ssllabs.com/ssltest/

http://heartbleed.criticalwatch.com/

https://lastpass.com/heartbleed/

As I told The New York Times yesterday, it is likely that many online companies will be prompting or forcing users to change their passwords in the days and weeks ahead, but then again they may not (e.g., I’m not aware of messaging from Yahoo to its customer base about their extended exposure to this throughout most of the day on Monday). But if you’re concerned about your exposure to this bug, checking the site and then changing your password is something you can do now (keeping in mind that you may be asked to change it again soon).

It is entirely possible that we may see a second wave of attacks against this bug, as it appears also to be present in a great deal of Internet hardware and third-party security products, such as specific commercial firewall and virtual private network (VPN) tools. The vast majority of non-Web server stuff affected by this bug will be business-oriented devices (and not consumer-grade products such as routers, e.g.). The SANS Internet Storm Center is maintaining a list of commercial software and hardware devices that either have patches available for this bug or that will need them.

For those in search of more technical writeups/analyses of the Hearbleed bug, see this Vimeo video and this blog post (hat tip once again to Sandro Süffert).

Finally, given the growing public awareness of this bug, it’s probable that phishers and other scam artists will take full advantage of the situation. Avoid responding to emailed invitations to reset your password; rather, visit the site manually, either using a trusted bookmark or searching for the site in question.


129 thoughts on “Heartbleed Bug: What Can You Do?

  1. QHoster

    This OpenSSL bug made our month. Tons of support and questions. Seems a huge “event” of 2014. OpenSSL was always a bomb – remember OpenSSL too-open big in the past …

  2. JimV

    I use LastPass for strong password generation and storage — the message they pushed out to users states that while they use OpenSSL and were technically vulnerable until their servers were patched, the internal encryption method they use to protect all user passwords would have defanged any intrusion since they don’t have the encryption key.

    http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

  3. android tablets cheap

    Sure a brand brand new feeling will bring to me soon.
    2 is the latest popular version and you want to look for it.
    Consequently it retains previously stored record or information even more than two
    years.

  4. Mica

    Warning FireFox 29 users.

    On Sunday, May 4th, I naively updated NoScript Version 2.6.8.21 to version 2.6.8.22 and immediately ran an SSL Report on the server as revealed by the Little Snitch Network Monitor Version 3.3.1 nightly (4086) on my iMac.

    https://www.ssllabs.com/ssltest/analyze.html?d=secure.informaction.com

    Qualsys’ results on this [extremely popular] FireFox Extension – brackets mine was as follows:

    Warning: Inconsistant Server Configuration
    Servers:
    69.195.141.178
    69.195.141.179 both got a Grade F as in FAIL

    while both of these
    Servers:
    82.103.140.42
    82.103.140.40
    got a B as in BUT then (do you feel lucky?)

    Well I wasn’t in luck cause I happened to get the update alright; but with a server with a grade of F (69.195.141.178) again as revealed by Little Snitch. So I immediately removed the dang thing from the FF 29 Tools/Extensions.

    So, I don’t know… I’m no whiz at this stuff but I’m trying to learn as best I can. As a subscriber to krebsonsecurity, I felt compelled to report what I found to whomever it may concern.

Comments are closed.