Consumers Can't Stanch Heartbleeding
Apr 11, 2014 5:00 AM PT
Consumers can do little to protect themselves from the catastrophic Heartbleed bug.
"Catastrophic is the right word," wrote security guru Bruce Schneier in his blog this week. "On the scale of 1 to 10, this is an 11."
Heartbleed is an extension of the SSL/TLS protocol used to encrypt data in transit on the Internet. The most common evidence of SSL to consumers is the padlock icon displayed by URLs that begin with "https."
Heartbleed is used to keep a secure connection alive. The flaw in it, discovered this week, allows unencrypted data in memory to be scooped up by Web maurauders 64,000 bits at a time.
"This issue affects hundreds of thousands of websites -- potentially up to 20 percent of all sites with SSL/TLS enabled -- as well as email, IM and other servers protected by SSL/TLS encryption," Brent Bandelgar, an associate security consultant with Neohapsis, told TechNewsWorld.
"The attacks are simple, untraceable and expose the crown jewels of encryption -- server private keys -- among other data handled by trusted servers such as user names and passwords," Bandelgar explained.
"Attackers that gain server private keys can impersonate trusted servers without raising warning screens in browsers and can potentially decrypt previously recorded encrypted sessions," he added.
The issue also affects clients built on OpenSSL, including mobile phones. While many websites have been quick to fix the Heartbleed bug, that's not likely to be the case everywhere OpenSSL is used.
"It is not easy for most people to know what version they are running, and if this is built into a router or embedded device, chances are very slim they will ever know," Tim Keanini, CTO of Lancope, told TechNewsWorld.
That's not the case for Android phone users, however. Lookout Mobile Security is offering an app that will detect if the version of OpenSSL on their phones has Heartbleed activated. Thus far, that's only been the case with phones running Android 4.1.1 Jelly Bean, said Lookout Principal Security Researcher Marc Rogers.
Some phones running Jelly Bean, like the Samsung Galaxy S4 and Samsung Note3, have turned off Heartbleed by default, he noted.
"That means while the vulnerable software is there -- because it's not using the vulnerable feature, it can't be attacked," Rogers told TechNewsWorld.
As to why a manufacturer would turn the feature off, "my guess is to save bandwidth," he suggested. "Heartbleed sends out packets back and forth to make sure a connection stays alive. That's not a problem with a laptop on a WiFi connection, but when you're on a phone paying for every kilobyte of data, over a year a few packets going out every few seconds can amount to a lot of money."
While Lookout's app will identify if Heartbleed is activated, it can't disable it. That's left up to someone else, like a carrier or manufacturer.
There's also software circulating on the Net that allows consumers to detect if a website they're visiting has squashed the Heartbleed bug or not. Rogers disapproved of those programs.
"All those programs that I've seen so far test servers by running the vulnerability," he said. "We frown on that. It violates the Computer Fraud and Abuse Act."
The most common advice for consumers looking for a measure of protection from the Heartbleed bug is to change the passwords to your websites.
"Follow normal best practices for online identity information," Matt Willems, an engineer with LogRhythm Labs, told TechNewsWorld. "Change your passwords regularly, and if an online service says your information may be at risk, follow their directions."
Mashable has compiled a list of some of the most prominent locations and services affected by the Heartbleed bug. Sites where password changes were recommended included Facebook, Tumblr, Google, Yahoo, Gmail, Yahoo Mail, Amazon Web Services, Intuit (Turbo Tax), Dropbox, LastPass, Minecraft, OKCupid, SoundCloud and Wunderlist.
Changing passwords needs to be done with some forethought, however.
"Before changing a password, make sure any site that accepts sensitive information has patched the bug," Bit9 Chief Evangelist Ben Johnson told TechNewsWorld. "It doesn't make sense to change your password if the site hasn't been patched yet."
In addition, for those who haven't activated two-factor authentication at websites that offer it, now is the time to do it.
"If consumers are using two-factor authentication, the exploit has significantly less impact on the security of your password, because the codes used for login are unique and generated new every time," said Charles McColgan, CTO of TeleSign.
As such," he told TechNewsWorld, "even if your password is known or grabbed, then your login is still secure.