Live Video

Thursday, April 10, 2014

Heartbleed

The Heartbleed bug is NOT a virus. 

It does not infect your PC.

It does reveal a flaw in the security systems used by secure website servers.

The problem started two years ago when a update to the secure socket layer contained a flaw (AKA Bug) in the code.
The flaw was only discovered a few days ago.

It allows anyone with a simple software tool to grab memory from a secure server and steal a copy of it.
The stolen information can includes any user logged into the site. Passwords, credit cards etc.
Notice that it steals stuff from MEMORY, not DISK. Information from users who have not logged in recently can NOT be accessed.

That's bad, but it gets worse.

However, even worse, the security keys that allow encrypting the data are in memory and can also be stolen. This means the thief can decode information sent to or from the server, in the past, now or in the future, at least until the web site is issued new secure encryption keys.

Heartbleed steals copies of  Keys

(The Bank Analogy)

Let's put this in simple terms. Stealing the encryption keys is like having someone steal copies of the keys to your bank, including a master key to all the banks safety deposit boxes. It is a tho a thief "borrowed" a ring of keys from the bank, copied them, and returned than before the bank realized they were missing. We don't even know when they were copied. The thief may have copied them two years ago and again the day after the bank changed all the locks.
This would mean that someone, for the past two years could examine everything you did at the bank, even the stuff in your safety deposit box. They will continue to be able to get into your box until the bank changes all the locks on the doors and the master key to the boxes. Changing the key to your deposit box does no good, because the thief can still enter the bank and unlock the box with the master key.

Securing the Master Keys

Fixing the Heartbleed problem by patching the server prevents someone from making copies of the security keys. That is like having the bank president check all the employees and securing every employee key so they can't be copied again. It does nothing about the copies of the keys the thief already has.

How to Protect Yourself

Wait a few days before you log into any secure site. That is like waiting for the bank to change all their keys and locks AND SECURING THE KEYS SO THEY CAN'T BE  COPIED AGAIN. On the internet, all secure encryption keys are changed once a year. Some sites like Microsoft and Google change the encryption keys randomly very often, sometimes several times a day. Sites that only change them once a year will need at least a few days to change their keys.

If you can, hold off a few days before you buy that next book or rent a movie over the web.

Keep an eye out for unauthorized bank or credit card charges, but play it safe, don't log into your bank's web site or use an ATM unless it is absolutely necessary. For the next few days renew your acquaintance with your friendly bank tellers.

Don't change your password unless the site has been fixed. That is like putting a new key in your safety deposit box while the thief with a master key is standing there watching you.

These Sites Are Safe to Use

This is a very short list of popular sites you are likely to visit.
There is no complete list yet.
There are two lists here;
1   These sites did NOT use the Secure Socket Layer code that Heartbleed exposes. There is no need to change your password or worry about your data.

1040.com
Amazon (retail store)
AOL
Capital One
Chase
E*Trade
Evernote
Fidelity
FileYour Taxes.com
Hotmail / Outlook
Microsoft
PayPal
PNC
Schwab
Scottrade
Spark Networks (JDate, Christian Mingle)
Target
TD Ameritrade
TD Bank
U.S. Bank
Walmart
Wells Fargo

These Sites Were Possibly Vulnerable, but are Now Fixed

These sites did  use the Secure Socket Layer code that Heartbleed exposes. They have been patched.
You should change your password as soon as possible on these sites. Data was possibly exposed but there is no evidence of that having happened yet. Changing your password now will prevent future exposure of you account on these sites.

Dropbox
Gmail
GoDaddy
Google
Intuit (TurboTax)
LastPass
Minecraft
OKCupid
SoundCloud
Wunderlist
Yahoo
Yahoo Mail

Any Site not listed above is suspect and you should wait or check before using.


Notes for Tallassee Alabama
 These are special precautions for the next few days.
Primesouthbank.com is OK to use, as the Heartbleed is blocked by the ISP
         Go to the bank or use their web site to check your account.
         Do NOT use non bank owned ATM's to withdraw money
          or check your balance. (At least for the next couple days)
          Be aware that SOME ATM's at SOME banks are NOT operated by the bank. Don't use them.

See Something, Say Something

If you see unusual transaction, report them immediately.

Be Careful, Check the Site

Before using any other site that uses a password, especially if it involves money, SS numbers, or personal information, check it with the following tool:
 http://filippo.io/Heartbleed/

Type in a site name like Twitter.com  then hit Go.
If it is red, do not use it
If it is green, read the green message, It will tell if the site has been patched or simply had some functions turned off as a way of preventing the Heartbleed.

Don't Panic

Don't rush to the web and start deleting personal information or closing accounts. You will be loading your information into the severs memory and exposing it to Heartbleed if the site is not patched.

My Take on this Mess

Remember, the following is purely speculation on my part.

Nobody has explained why this happened. We know WHAT happened, but not WHY.
I find the following to be strange:

  1. This bug crept into code that is used by so many different server software providers. 
  2. That it was introduced into the wild by people who's main purpose is security.
  3. That a bug like this didn't just break the code, instead it enabled downloading any 64K block of memory.
  4. If it was an intentional back door the servers memory, then what hacker would wait two years without launching a massive credit card fraud? Once he had access to a few million accounts, why wait any longer for the payoff?

In the past, there have been bugs like this, ones that lie dormant for years before they do their damage.

  • The bug in the Iraq anti-aircraft defense system that cause the guns to fire randomly into the empty spaces between our bombers.
  • The bug that caused Iran's nuclear centrifuges to self destruct.

Those bugs, and others, were created by governments.
Did a government somewhere want to read all the encrypted data on the web? What about Iran? China? Or is there one closer to home?

I'll leave it to you to speculate.

1 comment:

  1. We expect that the new LG V30 will be a super success when it launches at the upcoming global event. With the other Smartphone manufacturers going all in to find the proverbial Pandora’s Box when it comes to customer satisfaction, we have developed a wishlist of the features which the LG will supposedly carry. We can also predict that the MWC 2017 will not be the LG V30 showcase after all, as mentioned here. LG V30 Features

    ReplyDelete