Staunching Heartbleed

By JoAnne Sommers

YourMoneyBy now you’ve undoubtedly heard of Heartbleed, the Internet security bug that triggered alarm bells around the world and shut down a number of Canadian government websites, including the Canada Revenue Agency (CRA), for several days in mid-April.

Heartbleed is a major coding error in OpenSSL, software code designed to make communications secure on more than two-thirds of active Internet websites worldwide, plus email, chat servers and virtual private networks.

The software encrypts and protects the privacy of passwords, banking information and other sensitive data that you type into « secure » websites. Such websites are identified by the « lock » icon (HTTPS)on your browser.

The flaw exposes this information to potential theft by computer hackers and cybercriminals. What’s more, it is impossible after the fact to determine who may have gained unlawful access to the data.

Mark Nunnikhoven is the Ottawa-based vice president, Cloud & Emerging Technologies, at Trend Micro, a global leader in cloud security. He says that Heartbleed enables a hacker to grab random snippets of information from a server and assemble them like a puzzle.

“It allows an attacker to trick the server into sending him information which he can put together to produce a full picture of everything happening on that server.”

While the existence of Heartbleed only recently became public, the researchers who discovered it say the flaw has been around for about two years. A patched version of OpenSSL is now available to repair the problem and software companies are updating their code and informing users of the fix.

Nunnikhoven recommends that consumers visit the websites of any companies they deal with to see whether the site was affected by Heartbleed and, if so, how they’re handling the problem. This will also tell you how the organization handles confidential information, says Nunnikhoven. “Within 12 hours of Heartbleed becoming public knowledge, the CRA shut things down. As a taxpayer, I’m very happy they took that extreme measure because it shows how carefully they treat your information.”

On the other hand, if it takes a week for an organization to post a basic notice about Heartbleed, you might want to question them about it, he says.

If an affected website has resolved its vulnerability to Heartbleed, you should immediately change your password for the site and continue changing it every couple of months, says Nunnikhoven. However, he cautions against changing passwords before your vendors make the update. “Until then, you’re more vulnerable if you change a password because it will be in your server’s memory and a hacker could access it.”YourMoneySide

It’s also essential to maintain strong password discipline, something most
Canadians do very poorly. You should have a unique password for every website for which you have an account. No two passwords should be the same and anything that can connect money or critical data services like cloud backups should never share passwords.

Nunnikhoven recommends that you use a password manager, which lets you create a master password; software then creates a unique password for every site you use. You don’t need to know or remember your passwords, because they’re all stored and protected behind one very strong master password.

Trend Micro has warned that the Heartbleed bug also affects smartphones. We published a post saying that mobile apps are just as vulnerable to the Heartbleed bug as websites because apps often connect to servers and web services to complete various functions,” says Nunnikhoven. “We found 7,000 apps that are affected by this vulnerability and we’re advising people to check the websites of the most common apps to find out whether they’ve addressed the problem and then change their passwords.”

Business owners who run their own systems need to ensure they’re using the latest version of OpenSSL, says Nunnikhoven. Those who don’t run their own systems should contact their service provider to make sure the issue has been resolved, he adds.

Handy online tools such as the one available at http://filippo.io/Heartbleed/ will verify whether a server has been fixed.

Nunnikhoven says the Heartbleed crisis is a reminder of the important ongoing relationship that exists between small business owners and their service providers. “Often, after you set up a network in your office you forget about it. Heartbleed reminds us that you need to know how your IT people will respond if you need them.”

For more information about Heartbleed, visit http://heartbleed.com