What You Need To Know About Heartbleed In 30 Seconds


30 Second Answer (What Do I Need to Do):


For each & every online secure service that you use:

  1. Verify if they are/were using the problem software over the last 2 years.
  2. If yes, have they implemented the software upgrade yet?
  3. After the upgrade, change your password.
  4. Consider the possible problems a breach of your online security could cause and review/adjust your online security procedure accordingly.

NOTE: This also applies to any businesses or individuals that have your personal information in their records. Is your Lawyer or Accountant using a service like Drop Box to transfer files? If so your personal information my have been compromised. So as well as reviewing your own online activities for the past 2 years, you get to worry about secondary points of failure as well. Great.


A Little More Detail Please:


What Is Heartbleed?

Heartbleed is a bug that affects versions 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1 of Open SSL.

Open SSL is software that provides a secure connection (https://) on many websites. Just because you have made a secure (https://) connection does not mean the webserver is using Open SSL.

How Bad Can This Get?

This bug has been around for 2 years (see all the affected versions above), the good guys just found out about it this week (April 7th 2014). We don't know how many bad guys, if any, knew about and used it for the last two years.

Because of the nature of the bug, there is no way to know if it has been used. A 'smart' bad guy, would use something like this selectively hoping the bug would get replicated in future versions. The bug makes it possible to give the "keys to the kingdom" to any server asking the right questions. So the worst case scenario would involve the bad guys asking all the right questions in all the wrong places for the last two years.

Is There An Easy Button?

Sadly no not in this case. If you made an assumption that a service was fine only to find out later you were wrong, it would likely cost more to correct mistake after the fact than to act now on the assumption that you had been compromised. If you suspected Dr Evil had the keys to your family home would you be ok with 'risking it' and not changing the locks?

There are some lists out there that might be helpful but you should really not rely on 3rd hand information in this matter. What if someone creating the list made a simple mistake? A simple error not unlike the missing line code that caused this problem to begin with? Hey you can't say "it can't happen".

Having provided an adequate warning here are two lists that might be helpful. The team at Mashable put together a nice list that has a lot of popular sites on it. There is also a (link is now dead) that we're inventoried on April 8th 2014. (Hint: Control F is for find).

In the end you will want to verify from the online source itself if they were/are affected by this problem.

One Size Does Not Fit All, Mileage May Vary, Not Exactly As Illustrated.

The popular opinion is change your passwords on affected services after you verify they have patched their systems. That's good advice and hopefully for most people it will be enough.

For some it might not be enough.

Consider a situation where an individual was under attack and the attacker learned about this exploit and decided to use it. Even if the attacker was not a programmer they would have enough time to find an evil programmer to help with the attack. While this may seem to be at the far end of the spectrum it's only because it is. Most people don't already have Dr Evil after them but imagine a 'fatal attraction' type EX getting a hold of all your social logins - no, don't see a problem there.

The point of taking it to the extreme is to show there are a range of possible problems and possible corrective actions beyond just changing your passwords. If you felt your bank or CRA info was compromised it might be of more concern than if some online service for e-greeting cards was hacked.

While You're Spring Cleaning Anyways

While you are in there changing passwords (remember to wait until they patch the servers!) it might be a good time to do a little review of each account and make sure you're ok with the personal details you are storing there. Is the benefit from the service worth the problems a breach of this information might cause?

A Word About Passwords

It's a lot of work to change all your passwords. If you are going to go through this exercise you might as well make sure the new passwords are strong enough for the world that is 2014. There was a day when your dog's name might have been an ok password. You might even get crafty and substitutes some characters as in d0gGy. There, no one will ever guess that. Pure genius.

If you password is a word or a w0rd with s0m3 numb3rs subst1tut3d 4 l3tt3rs - IT'S NO PASSWORD AT ALL.

See full article: A Word About Passwords

What About Your Home Office, Is It Just As Vulnerable?

The bad guys online don't limit their evil activities to your online accounts. They know there is a LOT more information in the average home network. A small business person can find their venture totally dependent on a few computers in a small home network. If you panic at the thought of one or more of these devices having a serious problem then maybe you should also invest a few minutes of your time to see how exposed your home network is right now.

See full article: How Secure Is Your Small Business Network?

Additional References:

The Problem straight from the horse's mouth. http://www.openssl.org/news/ vulnerabilities.html

Details of the specific problem discussed by a professor. http://blog. cryptographyengineering.com/ 2014/04/ attack-of-week-openssl-heartbleed.html

Related Articles

A Word About Passwords

How Secure Is Your Small Business Network?

How To Flush Your Business Down The Tubes In A Few Minutes



What We Do?

Websites 4 Small Business, designs, builds and hosts websites. We specialize in small business websites.

When it's possible, practical and cost effective, we use Open Source off the shelf software to get your site up and running fast. Our philosophy is simple:

Why reinvent the 'technology wheel' at your expense?Cave Man creating wheel

Ok tell me more,...

Who We Do It For?

On the road again
This slideshow uses a JQuery script adapted from Pixedelic
This is a bridge
This bridge is very long