Tuesday, April 22, 2014

Guest Post | Heartbleed Bug

I feel very excited to say that I have a guest blogger today! The topic is on the all-controversial Heartbleed bug that happened a few weeks ago, and the guest blogger is my lovely boyfriend Edwin. I heard about it on Twitter and on the news, but have to admit I didn't read much into it. Here, my tech saavy man discusses the Heartbleed bug in depth and I have to admit, not only does it now make sense, but I've realized that I am very non-security minded. For example, if you know one of my passwords, you probably know them all! This might be a good eye opener for me to start get more security aware of my personal accounts...

Happy learning! Oh, and check out some of the links - there's some cool info there!

PS - just to prove my point, I originally called this post "Heartbleed Virus" but was quickly informed it is NOT a virus, it is a bug. Whoops. My bad. Updated! 

It’s been two weeks since a security flaw in the OpenSSL cryptography library (commonly used to encrypt traffic over the Internet) was made public. The security flaw received the sinister name ‘Heartbleed’ and is referred as perhaps the most serious security problem ever affecting the commercial internet.

According to our good friends of Wikipedia, Heartbleed “is exploited by sending a malformed heartbeat request with a small payload and large length field…” that would allow attackers gain access to 64 KB of server memory being used by OpenSSL, potentially obtaining the server’s private master key and allowing the attacker to either decrypt stored traffic, or decrypt live traffic through (almost perfectly secret) man-in-the-middle-attacks.  

And unless you’ve spent an uncommon amount of time understanding computers and the internet and you blatantly admit to being a geek, the above two paragraphs haven’t helped a bit (pun intended) to have an idea of what the problem is.

In plain English, the Heartbleed bug is a problem affecting over half a million servers on the internet supposedly “secured” to exchange sensitive information.  This information most commonly represents username/password combinations to login to a website, emails, apps, cloud services, etc.  This means that an attacker could get access to your email, company’s network, payroll system, private network of cameras at home, your phone, online files, banking services, and virtually anything using the internet.  

Reputable sites as Google, Yahoo, Wikipedia, Twitter, CRA, etc. have acknowledged they were affected and corrected the issue on time. It is estimated however, that over 20,000 websites remain vulnerable.

While the entire ramifications and consequences of Heartbleed remain to be seen, it helped me realize that even though no attacker would find anything valuable in my email accounts or in my less-than-often used Facebook account, I’d be in trouble if my identity got stolen and suddenly realized I had my bank account emptied, or credit card maxed out, or even a second or third mortgage! 

Here are a few yes/no questions that can help you analyze your online presence risk level:

  • Do you use the same username / password on all sites?
    • For a moment assume that your username and password are compromised. What information will the attacker get access to? Just to the one website or to the entire suite of sites where you use the SAME password for (i.e. Twitter, Facebook, Gmail, online banking, iTunes, etc.) Do you think you can’t remember all passwords? You can use free password vaults where you can store all your passwords using a master password. 
    • Interesting fact: a recent survey of office workers regarding passwords revealed that half of the employees write their passwords down, while a third share their passwords. 
  • Do you use two step authentication? 
    • 2-steps authentication is a neat feature offered by most big online providers (Gmail, Hotmail, Facebook, several banks, etc.) that require you to authenticate using your username + password + a security token generated on your smart phone. 
    • If you are one of the 70% of North Americans with a smartphone, it’s highly likely you can integrate 2-steps authentication for many of your internet accounts. 
  • Do you use a specific credit card / payment wallet when buying online? 
    • Using only a specific credit card for online purchases will help you make sure your level of risk is reduced if your card number gets compromised. Several financial institutions offer Visa / Master Card debit cards for online purchases. You can have a special checking account tied to the card and transfer money before the online purchase. 
    • Alternatively you can use a payment wallet such as Google Wallet or Paypal to -relatively- safely store your credit card. When using one of these wallets on eCommerce sites, your credit card number is never shared with the website. 
  • Do you check your bank accounts and credit card statements regularly? 
    • A lot of credit card frauds can be initially recognized by small charges (typically under $5) made by a scammer to confirm that credit card number is “alive” before being sold in the black market. 
    • Personally, I’ve been able to confirm that after two weeks, I can’t remember what most of the charges on my credit card are. If I see a $4 charge on my credit card I’ll probably assume it’s a charge in a coffee shop I don’t remember.
  • Do you check your own credit score periodically? 
    • When you run a credit check on yourself, you can not only see how worth of credit you are to lenders but you can also see if there are any outstanding uncollected debts from you –or someone pretending to be you-.

In conclusion: 

The Heartbleed security bug has recently demonstrated that even the strongest sites on the Internet can be affected by security issues and it’s impossible to be totally protected against fraud and other risks caused by software vulnerabilities on the internet (even Google had another recent intrusionto their production servers due to flaws on their own old software).

Keeping that in mind, it is possible for us to take measures to protect ourselves. Tools like 2-steps verification, password vaults, payment wallets, pre-paid credit cards, and others can let you reduce the level of risk you are exposed to on the Internet. 

Random fact of the day:
The random fact of the day goes to the Walkman that turns 35 this year! Pretty cool eh!?  Do you remember when they were the trendiest and coolest thing in the world and you would be carrying your set of cassettes with you?  I do! But it looks like kids nowadays have no idea how to operate one! Don’t blame them, digital music has made life much easier and changed the world!

1 comment:

  1. I love how different you two are :) I definitely need to make up different passwords but there is just so much to remember in my day to day life!!