It has been all over the news but unfortunately they have focused on the risks and not the ways to protect yourself and your business. Heartbleed is a security bug in a widely used open source cryptographic library. Simply stated, Heartbleed allows for a malicious actor to read sensitive data on unpatched servers, devices and related software such as the servers master key, form post data, session cookies and even passwords. It effectively means a malicious cyber-criminal can steal passwords, decrypt data, and otherwise gain access to your account and critical data. Some news sources point the finger at certain government organizations and unknown others exploiting this vulnerability for nearly 2 years.
It is worth noting that the software bug was quickly fixed on April 7th the very same day bug was publicly announced. I believe this shows the strength of the open source community and their dedication to fix known security issues. Let it be known that this doesn’t always happen with commercial software which can be months, years or never to patch known security issues. I will not point the finger but welcome you to visit the search engine of your choice to research this truth.
This serious bug requires of you as a user take some steps to maintain the security of your interaction with the many services you use on a daily basis. Keep in mind this related to many types of services, cloud service, email, Below I’ve created a simple list because I’ve received so many questions from customers, friends and family.
Check if the Service You Use are Patched
Not every provider is a judicious as those market leaders. There are numerous sites which detail the sites that have addressed this bug and therefore are now safe from this particular vulnerability. You can check with this handy link https://filippo.io/Heartbleed/ Noting as I did above, the fix was available the same day as the public disclosure. Acknowledging this fact, it is odd that so many lag behind on addressing this issue. If you find a service is still vulnerable weeks after the fix is available I’d think about finding another provider for the service in question.
Change Your Passwords
After checking if the service in question has patched the issue you can reset your password. Changing your passwords with some frequency and not using the same password everywhere is also just a good security practice. It bears repeating; each site should have a unique password — never reuse a single password everywhere. Remember to choose more secure password and couple that with a password manager which will make remembering it a no brainer. Again, we must assume the worst and change all of our passwords on any online services we use but while we do so we should also turn on 2FA, two factor or two step authentication.
Turn on Two Factor Authentication
As I’ve said many times before, everyone should be using two factor authentication on all of your sites and services that offer it. Unfortunately very few people are doing so. For more information check out my post on implementing two factor authentication on most critical sites and services. Two factor, AKA (also MFA, two-factor authentication, two-step verification, TFA, T-FA or 2FA) requires both your password and an additional code either sent via SMS (text message to your phone) or virtual(software based) applications such as Google Authenticator, Windows phone Authenticator, etc. Physical hardware based devices such as Symantec tolkens for Ebay/Paypal, Gemalto for Amazon AWS, Yubikey and many others. Most banks and financial institutions use the Symantec solution or offer their own. Either way, even standard SMS based 2FA is a positive step forward you should deploy immediately.
Use a Password Manager
Let’s face it, passwords are hard to remember and painful to manage. Why not get an application that would make it far easier to manage it for us? That is where password managers come in. They allow you to save all of your passwords in a encrypted password safe that is much more secure than that sticky note on your desk. Additionally, most of these applications will allow you generate more secure passwords for the sites & service you use. They can even remind you to use best practice and change it with some frequency. Like I always say, these are no panacea but a good step in the right direction when coupled with 2 factor authentication.
RoboForm – Windows, OSX, Mobile http://www.roboform.com/
LastPass – Windows, OSX, Mobile http://lastpass.com/
Norton Identity Safe – Windows, OSX, Mobile https://identitysafe.norton.com/
Dashlane – Windows, OSX, Mobile https://www.dashlane.com/
KeePassX – Open Source – Windows, OSX, Linux, Mobile, etc. http://keepass.info/
KeePass – Open Source – Windows, OSX, Linux, Mobile, etc. http://www.keepassx.org/
Password Safe – Open Source – Windows XP, Vista, 7 and 8 only. http://passwordsafe.sourceforge.net/
Patch Everything- Not Just Servers – All Effected Devices, Applications, Etc.
Recall that OpenSSL isn’t just used on servers but in many other applications and devices.. For example, your routers, firewalls, VPNs, desktop applications, smartphones, smartphone applications. Basically, anything that has the vulnerable version of OpenSSL will need to be patched. You can check your vendor for details about patches and apply them as the become available. As a general practice your organization should automate these processes to quickly address known risk and as an individual you should do the same. If the vendor you are working with fails to disclose a patch or information regarding addressing Heartbleed I’d call and open a ticket with them.
Heartbleed isn’t the end of the world but it is a very serious security vulnerability. Take these steps to reduce your personal and business risks and don’t be among those that suffer the consequences of this bothersome bug. Stay safe out there!