How To Protect Yourself From The Massive Security Flaw That’s Taken Over The Internet
On April 07, 2014 a severe vulnerability in OpenSSL was announced.
If you are receiving this announcement, then you have at least one server with that may be vulnerable to a serious security flaw.
Known formally as TLS heartbeat read overrun (CVE-2014-0160), and dubbed the “Heartbleed Bug”, this flaw allows for the theft of information normally protected by SSL/TLS encryption. Specifically, the Heartbleed Bug allows memory to be read on systems using OpenSSL 1.0.1 before 1.0.1g, which can compromise private/secret keys used to encrypt data and application traffic. At the very least, this would allow attackers to impersonate users and services, and provide a means for data theft. Unless automatic updating has been disabled, a patch has been downloaded for your system and a system reboot is required to complete the process. We encourage you to reboot your server as soon as possible to ensure your system is secure.
Beginning April 10, 2014 we will be updating and rebooting servers which are found to still be vulnerable to the Heartbleed Bug. Due to the nature of this vulnerability, and the volume of servers eligible for the update, we cannot accommodate requests for a specific reboot time. You may opt out of a server reboot, should you plan to apply the update yourself, by simply opening a ticket at your server provider. If you opt out, Liquid Web will assume that youÃ¢Â€Â™ve appropriately patched your servers. For further information on the OpenSSL Heartbleed Bug
In case the Heartbleed bug’s name hasn’t already convinced you of the seriousness of this security vulnerability, allow me to make this clear: you should change the password you use for every website you’ve visited in the last two years.
That message has been repeated ad nauseum since the vulnerability was first revealed earlier this week..
Tumblr has asked its users to change their passwords. Mozilla has advised FireFox users who rely on the same password for multiple sites to do the same. So have the New York Times, the Wire, and countless other news sites. Again, in case the bleeding heart metaphor wasn’t enough to convince you that this is a real problem: change all of your passwords. Now.
That’s easier said than done, of course. While there are various tools that can generate strong passwords and keep them in sync across multiple platforms, there isn’t an “Oh shit!” button that can automatically reset all of those passwords when something like this happens. It’s up to you to remember all of the websites you’ve visited, the passwords you used for those sites, and to create new passwords that anyone knowing your old ones won’t be able to guess. That’s not necessarily a bad thing: having to manually change the passwords could help protect against any potential flaws hiding in the generators used by tools like 1Password or LastPass. (Note: I’m not saying the tools have flaws, I’m just saying they hypothetically could, company representatives.)
What is the Heartbleed bug?
Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by the majority of websites that need to transmit the data that users want to keep secure. It basically gives you a secure line when you’re sending an email or chatting on IM.
Encryption works by making it so that data being sent looks like nonsense to anyone but the intended recipient.
Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, and it will send out what’s known as a heartbeat, a small packet of data that asks for a response.
Because of a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end into sending data stored in its memory.
The flaw was first reported to the team behind OpenSSL by Google security researcher Neel Mehta, and independently found by security firm Codenomicon. According to the researchers who discovered the flaw, the code has been in OpenSSL for about two years, and using it doesn’t leave a trace.
How bad is that?
It’s really bad. Web servers can keep a lot of information in their active memory, including usernames, passwords, and even the content that users have uploaded to a service. According to Vox.com’s Timothy Lee, even credit-card numbers could be pulled out of the data sitting in memory on the servers that power some services.
But worse than that, the flaw has made it possible for hackers to steal encryption keys — the codes used to turn gibberish-encrypted data into readable information.
With encryption keys, hackers can intercept encrypted data moving to and from a site’s servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.
Am I affected?
Probably, though again, this isn’t simply an issue on your personal computer or your phone — it’s in the software that powers the services you use. Security firm Codenomicon reports:
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.
According to a recent Netcraft web server survey that looked at nearly 959,000,000 websites, 66% of sites are powered by technology built around SSL, and that doesn’t include email services, chat services, and a wide variety of apps available on every platform.
The good news is that passwords for services like Facebook and Gmail can be changed. It would be much harder to protect against compromised biometric security measures — what are you gonna do, burn your finger tips and tattoo some new patterns onto them?