Tuesday 15 April 2014

Change your password. But not just yet.

Another password crisis on the internet. This time, changing my password may not be the best thing to do. blog.mindrocketnow.com

The heartbleed virus has brought my vulnerability on the internet into sharp focus. Through a faulty implementation of code, my confidential information could be obtained by someone with nefarious intentions. And it’s not my fault this time.

The issue is due to a common error in server-side implementation of an open source security protocol, OpenSSL. There’s a very good explanation on the Symantec site:

The Heartbleed vulnerability in OpenSSL allows an attacker to spoof the information on the payload size. How an OpenSSL server deals with this malformed Heartbeat message is key to the danger this vulnerability poses. It does not attempt to verify that the payload is the same size as stated by the message. Instead it assumes that the payload is the correct size and attempts to send it back to the computer it came from … [and will] automatically “pad out” the payload with data stored next to it in the application’s memory. This [padding] could include the login credentials of a user, personal data, or even, in some cases, session and private encryption keys.

The data the application sends back is random and it is possible that the attacker may receive some incomplete or useless pieces of data. However, the nature of the vulnerability means that the attack can be performed again and again, meaning the attacker can build a bigger picture of the data stored by the application over time.

Because it’s a server-side issue, it’s got nothing to do with how secure our password is. If the people who coded the server made this error (of not verifying the size of the payload), the server could be vulnerable. And which servers typically use cryptographically-protected communication?

  • ·      Anything to do with spending our money – those millions of little online shops – the exact sites that are highly attractive to thieves.
  • ·      And anything to do with our identity, especially those social media sites we so love – best not put up your dating profile just yet as it’s the perfect intersection of money and personal information.
  • ·      As a side note, banks are probably safe, as they spend a disproportionate amount of money on internet security, and as a rule do not use standard open source SSL implementations.


Mashable has a good summary of sites that could use refreshing your password. Before you stop everything to change that password, it may not be a good idea to do so. If you change your password before the server side has implemented the Heartbleed fixes (and it’s not just a simple patch, it could require revoking and re-issuing digital certificates), then your newly changed password may be nefariously obtained. So you should ensure that the web site owner has done their work before you change your password.

But if you receive an email confirmation that the web site owner has fixed the problem, it still may not be a good idea to go change your password. Security experts expect that there will be an increase in phishing to try and obtain passwords through the reset process. By phishing, I can get you to give me your reset email address on a bogus site that looks close enough to the real thing to pass cursory inspection. Then I can probably reset your password through social engineering – guessing the answers to the additional personal questions through paying attention to the digital footprints you’ve left all over the internet. So don’t just click through the link in the web site – type in the URL into your browser, and make sure the https symbol is showing, before you reset your password. Here are some other good rules for passwords:

  • ·      Don't reuse passwords
  • ·      Don't use a dictionary word
  • ·      Don't use standard number substitutions
  • ·      Don't use a short password
  • ·      Do use two-factor authentication
  • ·      Do give bogus answers to security questions
  • ·      Do scrub your online presence
  • ·      Do use a unique email per online presence


My password manager tells me I have 300 passwords. Plus all those sites where I connected using Facebook or Google login. This could take a while… I leave you with Symantec’s advice on what to next:

Advice for consumers:
       You should be aware that your data could have been seen by a third party if you used a vulnerable service provider
       Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated customers that they should change their passwords, users should do so
       Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
       Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability
       Monitor your bank and credit card statements to check for any unusual transactions


2 comments:

  1. Really interesting blog article Avi. I've got about three passwords I reuse and it's made me realise how lazy and potentially dodgy that is. I have also received several emails from companies with 'click here to reset your password' links due to the heartbleed dilemma. I never use the links but I'm sure a lot of people click without realising it could lead to bogus sites. I know we're meant to change passwords regularly, I find it very easy to get complacent until something like this happens. Thanks for the advice.

    ReplyDelete
  2. Thanks for the feedback, Ella. Really appreciate you taking the time out to comment.

    I recommend spending money on a password manager so that you only have to remember one key password, but you have unique strong passwords for each site. Unfortunately, I've seen too many examples of people getting scammed, and a couple of examples of identity theft that has had disastrous consequences. But don't get scared; by being aware of the dangers, you're better able to deal with them.

    ReplyDelete

It's always great to hear what you think. Please leave a comment, and start a conversation!