Heartbleed and the Information Security Nightmare
Here’s a scenario… you get a notice, you see it on social media or on the news, something else about changing your password. You put it off because it’s not a matter of national security in your life. A few weeks later, something worse happens — a major breach of a financial institution happens, maybe your bank or credit card, or a social network gets breached. Yet again, you don’t get a phone call or you know it doesn’t affect you so you just leave your password the same. You don’t have time to go change and memorize another password. It’s just too much. Then you hear of the worst vulnerability affecting the known Internet. It’s called Heartbleed, aka CVE-2014-0160. That’s a snappy name, you think to yourself. Not a big deal. Now it’s the “most dangerous security flaw on the web,” according to The Verge.
This scenario happens all…The…TIME. Major breach, no one cares. No one really cares until someone in Information Security makes you care. When all of the yelling and screaming at Tier 1 support is over because there’s really no one to blame except some “magic man in a cloud” that pushed a button (or forgot to), no layman really knows what happens next. This time, we have an even greater nightmare. Absolute panic should be occurring online right now, but no one cares. It’s not important because it’s just digital life that depends on it.
Panic, you say? Yes, PANIC for any decent Internet Service provider. The panic is based on the fact that just because you change your password, or get notice to change your password, that it doesn’t mean that the breach is fixed. In this particular incident with Heartbleed, it was only yesterday that SOPHOS updated UTM and SAV for vShield. COMODO, an SSL provider, is just now sending out word. It was two days ago that the media really took wind of it. Looking at this like a virus spreading, we’re still just over 72 hours from Zero Hour on April 7th (considering when it was announced and announcing it being the moment that people both use the vulnerability for good and to respond to the call-to-action). But that news media article or spot only made it worse. Panic. That’s not all even still. Heartbleed was affecting the Internet since December 2011. Even more panic. This makes my head hurt, you think to yourself.
The exact problem here is that while the vulnerability was exposed, only a handful of services and sites had time to respond to the threat. In the time that it takes to respond to a threat such as Heartbleed, a lot of things need to happen. SSL certificates, private keys, internal passwords and security procedures, not to mention the OpenSSL module and Apache, all of which have to be updated. But you got the news yesterday. The amazing power of the Internet told you that there was a problem and you went and updated your password because you were sick and tired of that next Target security breach they were talking about last Christmas. And now, NOW you need to go change your password all over again even after you spent two hours yesterday making sure that everything was “safe,” or so you thought. You give up — and you likely should — because a typed password that a human can use is no longer truly safe.
Passwords hurt my brain, you think. Well, that’s fine. Because this breach is bigger than just your password. It’s your phone, your tablet, your printer, your laptop, your wireless router, your Smart TV, and that Starbucks hotspot. It’s also the fact that when you use OAUTH to sign into Pinterest from your Twitter ID or save your favorite Epicurious recipe by logging into your Facebook account that the session can be hijacked. But you like to stay logged in to your favorite sites for hours on end even though you only stay online for about 20 minutes — tops. It’s just so darn handy to not have to log out. Well, that’s what it’s going to take. You need to log out and wait. BUT I CAN’T BE BOTHERED TO DO THAT… and the cycle continues.
Perhaps it wasn’t clear enough. Nearly everything that you use a password on is affected. Unless it doesn’t connect to the Internet, like your garage door opener from 1981, chances are it’s affected. But we can’t have our customer base freak out! Yep, I’ve heard that one too. So fix OpenSSL and reset their passwords for them. But wait, that’s not a good idea because all of those GMail addresses have the same password or XYZ provider is about 8 days behind Zero Hour and they’re just going to login to a unsecured secure server. Well, we can’t all rely on the media to tell us when to do things. Or maybe that other site I like… NO, because they’re affected too.
So how do you handle Heartbleed if you’re not some Information Security guru? You log out and you wait until EVERY SITE you use has something up about actually changing your password. Your password has been vulnerable for over two years now. That’s not some wise indication to not care and login anyway and people in Information Security would seriously frown on you doing that. Use a sticky note to remind you to go check the support section of your favorite websites to see what they’re saying. Log out. Give the Internet a break for a day or two. Heartbleed and all of the other nasty things that bother the Internet will still be here when you get back. Until then, here’s a list Mashable has put together of sites that are affected.
There another one called Poodle exploiting the SSL 3.0. A lot of breaches have been uncovered lately.
Thanks for sharing