The Heartbreak of the Heartbleed Bug: What You Need to Know
By Evidence Solutions, Inc.
Computer Technology and Digital Forensic Firm
Computer Technology and Digital Forensic Firm
The Heartbleed bug is bad, very bad indeed. By one estimate, it affected nearly 2/3 of Internet sites at its discovery. The problem still exists today with sites that were not fixed. Here's what you need to know.
Unraveling the mystery and confusion
OpenSSL is the product that is affected by the bug. The OpenSSL website describes their product this way: “The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.”
The site goes on to say: “OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.”
To summarize, the software is free and can be used to encrypt data between devices and locations on the Internet. Encryption, when working properly, causes data to be unreadable. Theoretically the data using OpenSSL should be unreadable as it traverses the Internet.
The flaw in OpenSSL allows the theft of encryption certificate keys. This flaw may expose passwords and other data as it is being transmitted between your computer or router and websites. Internet companies with affected websites will re-generate their security by rekeying or generating new SSL certificates.
The Heartbleed flaw has been around for at least two years. The flaw was created when some of programmers of the software created a simple coding error that never got noticed. The Heartbleed bug was discovered by researchers at security firm Codenomicon and by Google Security's Neel Mehta.
What do you need to do?
So, what does this mean to you, your equipment and the information that you may have shared with websites on the internet? What should you be doing about the exploit?
Do not panic. This bug is not as easy to exploit as some have made out. Still, caution is necessary.
Find out if sites you use are impacted. Companies like Google, Facebook and Yahoo were all impacted and have fixed their systems. Smaller organizations may be slower to fix theirs.
Change your passwords for sites that are affected. However, and this point is critical: There is no point changing your password until the site or sites that you are changing the password for are fixed. When they are fixed, it is time to change your password. Many of the affected companies are notifying their users when their sites have been fixed. Change your password at that point. We can’t emphasize this enough: Changing your password before the system is patched is worthless. You will only be required to change the password again when it is patched.
Check the following sites to see what companies were affected and if they have patched their systems:
The following sites report that they are patched and ready to receive your new password: Google (and Gmail), Yahoo (and Yahoo Mail), Facebook, Pinterest, Instagram, Tumblr, Etsy, GoDaddy, Intuit, USAA, Box and Dropbox. As more companies create patches to Heartbleed, this list will grow.
If you use the same password across a lot of sites, then it is recommended that you change them all. If a hacker were to gain knowledge of your common password from one site, then they would have access to several. Do not change all of your passwords, however, until each of the websites is patched. You may be changing passwords, one at a time, for several months.
If you wish to test a site that may be affected, you can use these online tools:
Stay away from public hotspots and public Wi-Fi. You aren’t going to know what brands of routers and fire walls are being used in public places, nor are you going to know if the public hotspots and Wi-Fi have been patched or if proper precautions have been taken against Heartbleed. You are better off not using any public networks until the dust settles.
Watch your credit card statements and bank accounts. Notify your bank or credit card company immediately if you see anything that doesn’t belong. If any personal information or even your identity was stolen, it may be a while before you find out. Be diligent about reviewing your accounts going forward. Don’t let your guard down.
Download any software updates when they become available. Generally this bug will affect routers and firewalls in your home or organization. Check with the manufacturer to see if any of the devices that you own or use are affected. Cisco has released a complete list of all vulnerable products and is working on creating free software updates to protect customers. Juniper has also published a list of vulnerable devices and is working on a solution.
Until the routers and firewalls are fixed, find out what kids of router you use in your home and office. Check to see if there is a software update or patch for that particular make and model. If there is not, check back on that company's site every few days to see if a software update is available for download. It could take some time, so be patient. If your router was supplied by your Internet Service Provider, contact them for more information.
Turn off your router's remote access. This will turn off your ability to remotely program the router from outside of your home or office. That feature is probably not used anyway so you won’t be missing anything. Your ability to do what you have always done inside your network will not change. It will make it less likely that hackers can re-program your router to suit their needs. To do so, login to the web interface of the router and turn off “Remote Access”. If you don’t know how to do so, contact your IT person or the manufacturer for more information and help.
Bloomberg has reported that at least two sources familiar with the matter said that the NSA had been aware of the bug for at least two years and used it to gather critical information. Apparently the NSA has the resources to look for these bugs.
Not surprisingly, the NSA has denied the report. Equally unsurprisingly, many people doubted the NSA’s denial. There seems to be little question that the NSA is aware of many bugs and has used them to collect intelligence. It seems that “The NSA denies any knowledge" is bound to be a recurring theme in our future.
ABOUT THE AUTHOR: Scott Greene of Evidence Solutions, Inc.
For over 30 years, Scott Greene has been helping companies meet the challenges of the swiftly evolving computer technology industry.
Directly from high school, Scott went to work for IBM. Scott studied Systems Engineering at the University of Arizona. He has since earned certifications in many products and programming languages.
The Evidence Solutions team analyzes data from Computers, Cell Phones, Black Boxes, Dispatch Systems, Medical Records, Email systems and more. Scott then explains the digital evidence in plain English.
Scott’s extensive knowledge draws clients to him from all over the United States as well as Internationally for consulting, Forensics and expert witness services. His extensive and diverse experience allows him to be an expert in many facets of digital and electronic evidence. Scott, a sought after speaker and educator, travels throughout the country sharing his knowledge and presenting to local, regional, national and International organizations.
Copyright Evidence Solutions, Inc.
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.