Another password
crisis on the internet. This time, changing my password may not be the best
thing to do. blog.mindrocketnow.com
The heartbleed virus has brought my vulnerability on the
internet into sharp focus. Through a faulty implementation of code, my
confidential information could be obtained by someone with nefarious
intentions. And it’s not my fault this time.
The issue is due to a common error in server-side
implementation of an open source security protocol, OpenSSL. There’s a very
good explanation on the Symantec
site:
The Heartbleed
vulnerability in OpenSSL allows an attacker to spoof the information on the
payload size. How an OpenSSL server deals with this malformed Heartbeat message
is key to the danger this vulnerability poses. It does not attempt to verify
that the payload is the same size as stated by the message. Instead it assumes
that the payload is the correct size and attempts to send it back to the
computer it came from … [and will] automatically “pad out” the payload with data
stored next to it in the application’s memory. This [padding] could include the
login credentials of a user, personal data, or even, in some cases, session and
private encryption keys.
The data the
application sends back is random and it is possible that the attacker may
receive some incomplete or useless pieces of data. However, the nature of the
vulnerability means that the attack can be performed again and again, meaning
the attacker can build a bigger picture of the data stored by the application over
time.
Because it’s a server-side issue, it’s got nothing to do
with how secure our password is. If the people who coded the server made this
error (of not verifying the size of the payload), the server could be
vulnerable. And which servers typically use cryptographically-protected
communication?
- · Anything to do with spending our money – those millions of little online shops – the exact sites that are highly attractive to thieves.
- · And anything to do with our identity, especially those social media sites we so love – best not put up your dating profile just yet as it’s the perfect intersection of money and personal information.
- · As a side note, banks are probably safe, as they spend a disproportionate amount of money on internet security, and as a rule do not use standard open source SSL implementations.
Mashable
has a good summary of sites that could use refreshing your password. Before you
stop everything to change that password, it may not be a good idea to do so. If
you change your password before the server side has implemented the Heartbleed
fixes (and it’s not just a simple patch, it could require revoking and
re-issuing digital certificates), then your newly changed password may be
nefariously obtained. So you should ensure that the web site owner has done
their work before you change your password.
But if you receive an email confirmation that the web site
owner has fixed the problem, it still may not be a good idea to go change your
password. Security experts expect that there will be an increase in phishing to
try and obtain passwords through the reset process. By phishing, I can get you
to give me your reset email address on a bogus site that looks close enough to the
real thing to pass cursory inspection. Then I can probably reset your password
through social engineering – guessing the answers to the additional personal
questions through paying attention to the digital footprints you’ve left all
over the internet. So don’t just click through the link in the web site – type
in the URL into your browser, and make sure the https symbol is showing, before
you reset your password. Here are some other good rules for passwords:
- · Don't reuse passwords
- · Don't use a dictionary word
- · Don't use standard number substitutions
- · Don't use a short password
- · Do use two-factor authentication
- · Do give bogus answers to security questions
- · Do scrub your online presence
- · Do use a unique email per online presence
My password manager tells me I have 300 passwords. Plus all
those sites where I connected using Facebook or Google login. This could take a
while… I leave you with Symantec’s advice on what to next:
Advice for consumers:
•
You should be aware that your data
could have been seen by a third party if you used a vulnerable service provider
•
Monitor any notices from the vendors
you use. Once a vulnerable vendor has communicated customers that they should
change their passwords, users should do so
•
Avoid potential phishing emails from
attackers asking you to update your password – to avoid going to an
impersonated website, stick with the official site domain
•
Stick to reputable websites and
services. They are most likely to have immediately addressed the vulnerability
•
Monitor your bank and credit card
statements to check for any unusual transactions
Really interesting blog article Avi. I've got about three passwords I reuse and it's made me realise how lazy and potentially dodgy that is. I have also received several emails from companies with 'click here to reset your password' links due to the heartbleed dilemma. I never use the links but I'm sure a lot of people click without realising it could lead to bogus sites. I know we're meant to change passwords regularly, I find it very easy to get complacent until something like this happens. Thanks for the advice.
ReplyDeleteThanks for the feedback, Ella. Really appreciate you taking the time out to comment.
ReplyDeleteI recommend spending money on a password manager so that you only have to remember one key password, but you have unique strong passwords for each site. Unfortunately, I've seen too many examples of people getting scammed, and a couple of examples of identity theft that has had disastrous consequences. But don't get scared; by being aware of the dangers, you're better able to deal with them.