Technology by Design

Technology news, reviews, and how to keep your technology running fast and smooth!

ALERT: Heartbleed Bug

by Leave a Comment

Heartbleed Bug

ALERT:  Heartbleed Bug

Internet security experts are scrambling to patch an alarming encryption vulnerability that has exposed millions of passwords and personal information, including credit card numbers, email accounts, and a wide range of online commerce.

 

Some reports as many as two-thirds of sites on the internet are using OpenSSL – the encryption code that we now know is flawed and vulnerable to so-called ‘Heartbleed’ attacks.

What Sites You Should Be Worried About:

The Canada Revenue Agency website is shut down, and not expected to be open again until at least the weekend.  The CRA says this move was precautionary, because there is no evidence of a breach.

Canadian Banks, airlines, and online retailers such as Amazon.ca, Walmart, and Indigo Books all said they were NOT affected by the bug.

The online new site Mashable has an extensive list  of other affected sites.  

They suggest you should immediately change your password if you use any of the following:
  • Facebook
  • Gmail (or other Google services)
  • Tumblr
  • Yahoo mail
  • GoDaddy
  • Intuit (TurboTax)
  • Dropbox
  • LastPass
  • OkCupid
  • Soundcloud

Wondering about a site not on the list?  The Web developer resource Github has been testing sites, here’s a working list of the vulverable, not vulnerable and no SSL sites:  Heartbleed-Masstest.  The caveat for this information is that there is no central “is my internet broken” government agency that can verify these checks; Githrub’s community of volunteers appears to be our best resource, but maybe think of it more like Wikipedia than a peer-reviewed journal.

There are also a few services, such as filippo.io/Heartbleed, that let you test a website yourself.  We recommend doing this for any lesser-known site you use regularly.

As Toronto-based password-managing site 1Password says “The time to change passwords is after sites patch vulnerability *and* update certificates.”

How Do You Make Your Passwords Safer?

The smartest thing to do at this point is diversify your passwords, so that if someone hacks your OKCupid account they can’t get into Google with the same password.  My rule of thumb is that no site that connects to my credit card shares a password with any other site that I use.

Most people use terrible passwords.  There are a number of reasons for this.  One is the sheer variety of password-enabled devices we have to deal with every day (how many of you will admit to still having the default “1234” as the password on their vehicle’s Bluetooth connection…?).  Another is the fault of certain products and websites that either don’t care what sort of password you choose, or force you to jump through a bunch of hoops that result in the creation of a convoluted password you end up forgetting a week later.  The most important determinant of password strength is entropy.  Basically, the more stuff there is to guess, the better the password.  So choose a long password.  And if you don’t think you can remember multiple passwords and don’t want to use a password manager, at least memorize a strong password and use it exclusively for your most important digital transaction.  The last thing you want is your banking login compromised because someone hacked into a gaming forum you frequent and stole your password.

Is This A Virus?

No.  A virus is a piece of malicious code that seeks to infect your computer systems.  Heartbleed appears to be a mistake, a flaw in the encryption code that many websites use to protect passwords they ask you to use to log in, as well as other information.

How Long Has This Been Going On, And Whose Fault Is This?

According to researchers that found the problem (and let’s be clear, this is a gaping hole that words like “flaw, bug, and vulnerability barely describe), the bad code was introduced two years ago.  To quote Codenomicon (who found and named Heartbleed): The affected code is called OpenSSL and “is the most popular open source cyptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet.”

The OpenSSL Software Foundation and the developers who maintain this code are having a lot of pointed finger wagging at them.  According to the Wall Street Journal, there are only 4 staffers to maintain the open-source libraries…and only 1 is full-time.

“There is no question more effectively applied manpower would be a good thing,” said Stever Marquess, President of the foundation.  “Formal code audits would be a good thing.”  Really…

You can’t stop CyberCriminals from targeting your company or employees.
But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *