HERE'S some common sense advise about our use of computers and the threat from the Heartbleed virus.
iStockphoto
With a name like Heartbleed, it's no surprise it's bad. A
vulnerability in OpenSSL — the Internet's most commonly used
cryptographic library — , 64 kilobytes at a time, since March 2012.
"I would classify it as possibly the top bug that has hit the Internet that I've encountered, because of it being so widespread, because it's so hard to detect," says Andy Grant, a security analyst at iSEC Partners.
Are you affected? Well, users may not even realize they are using OpenSSL. But if you've ever noticed that websites you access show an "https" address, and a lock appears next to the address, you're on OpenSSL.
OpenSSL encrypts your data, including passwords and personal
information, when it travels to a server. That means you may enter a
password into your online banking site, but as the information for your
transaction travels to your bank, it's jumbled up and made
indecipherable — encrypted — as it's traveling through the Internet.
This is supposed to keep hackers from eavesdropping.
Just before the bug was publicly disclosed, the people who maintain OpenSSL had fixed the vulnerability. But it's up to Internet companies to enter fixes for their own software — "swapping out" the cyberlocks that protected their data.
"You're probably protected from this point going forward," NPR's news applications developer Jeremy Bowers told member station WUNC on Wednesday. "The part that is dangerous is the [open vulnerability of the] previous two years and the possibility that at any point since 2012 that your [logins] for various places were compromised."
While individual users can't patch the holes, keep in mind some general Internet hygiene that we should be doing anyway.
http://www.npr.org/blogs/alltechconsidered/2014/04/09/301006236/what-to-do-now-that-the-heartbleed-bug-exposed-the-internet
http://www.npr.org/blogs/alltechconsidered/2014/04/08/300602785/the-security-bug-that-affects-most-of-the-internet-explained
The Heartbleed bug has exposed up to two-thirds of the Internet to a security vulnerability.
"I would classify it as possibly the top bug that has hit the Internet that I've encountered, because of it being so widespread, because it's so hard to detect," says Andy Grant, a security analyst at iSEC Partners.
Are you affected? Well, users may not even realize they are using OpenSSL. But if you've ever noticed that websites you access show an "https" address, and a lock appears next to the address, you're on OpenSSL.
Just before the bug was publicly disclosed, the people who maintain OpenSSL had fixed the vulnerability. But it's up to Internet companies to enter fixes for their own software — "swapping out" the cyberlocks that protected their data.
"You're probably protected from this point going forward," NPR's news applications developer Jeremy Bowers told member station WUNC on Wednesday. "The part that is dangerous is the [open vulnerability of the] previous two years and the possibility that at any point since 2012 that your [logins] for various places were compromised."
While individual users can't patch the holes, keep in mind some general Internet hygiene that we should be doing anyway.
- Change your password every few months. Because so many of our transactions are conducted online, this is a good practice to have no matter what. But to be extra safe, use , which typically means you need to know a piece of information — like a password — and have a piece of information, like a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites.
- Be a little leery of public Wi-Fi networks. If you are hopping on the Wi-Fi at Starbucks and other public places, limit your Internet behavior to the things you wouldn't mind people being able to find out and transactions that aren't especially sensitive.
- If you have VPN, use it. If your company or school offers a virtual private network, or VPN, connect that way. It's still fairly safe.
- Don't freak out. Sites like Amazon, Google and other major Internet companies have already secured themselves and fixed the vulnerabilities disclosed this week.
- Test to see which sites are vulnerable. that will tell you what
The Security Bug That Affects Most Of The Internet, Explained
kind of encryption a site uses, and when the encryption was last updated. have built a Web app that will test whether a site is still vulnerable to the Heartbleed bug. And Bluebox Security, a mobile security company, that will scan your Android phone to test whether it uses vulnerable versions of OpenSSL, either in its operating system or in any of your apps.Editor's Note: A very serious bug with a scary name, , . The bug affects OpenSSL, a popular cryptographic library that is used to secure a huge chunk of the Internet's traffic. Even if you have never heard of OpenSSL, chances are, it's helped secure your data in some way. So I asked one of our trusted developers, and a nut for net security, Jeremy Bowers, to explain why Heartbleed's such a concern. — Elise Hufilippo.io/Heartbleed screengrabA screen grab from a Heartbleed test Tuesday morning showed Yahoo was vulnerable. The company has since fixed the vulnerability.
What's the problem?
You trust your banking or Web mail sites to protect your communications when you see the little lock icon in your Web browser. This is why you're OK with typing passwords into Hotmail or your credit card numbers into Amazon.
A popular piece of software called OpenSSL is used by Internet companies to provide this kind of security. On March 14, 2012, someone introduced a bug that would allow an attacker to get the "crown jewels," the encryption keys used to protect your communications directly from the companies themselves.
With those keys, an attacker could eavesdrop on your communications with that company and/or impersonate that company, making it possible for them to harvest things like credit card numbers or passwords with relative ease.
This isn't just a theoretical attack. Security researchers and passwords on local networks this morning. As of 2 p.m. ET Tuesday, Yahoo's servers were still vulnerable, . But by 3 p.m. ET, Yahoo told CNET it fixed the primary vulnerability on its main sites. Yahoo said:
Yahoo didn't immediately offer advice to users about what they should do or what the effect on them is."As soon as we became aware of the issue, we began working to fix it. Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now. We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."
Why is this so devastating?
It's devastating for several reasons.
First, OpenSSL is used very broadly, from big companies like Yahoo to small companies and mom-and-pop shops with shopping carts provided by a vendor. And it's hard for you to tell who's affected or when they've fixed it because companies don't broadcast which versions of OpenSSL they're running to people like you and me.
Second, in order to fix the bug and guarantee secure communications with you, each company has to update OpenSSL on every Internet-facing computer that they own. Worse, they also ought to revoke their SSL certificates — the "crown jewels" mentioned above — and generate new ones, based on the assumption that they could have been stolen at any point since March of 2012. This process could take a company days or even weeks to do.
Finally, since the bug in OpenSSL has existed since March 14, 2012, there are more than two years of your communications that could have been intercepted by an attacker. Anything you've done — shopping at online stores, logging into your bank or your Web mail — could possibly have been compromised in the past. Because of the nature of the attack, you wouldn't know anything about it.
What can I do about it?
Sadly, you're at the mercy of the individual Internet companies to get their software patched and their SSL keys revoked and regenerated. Once you feel certain this has been done at a particular company, you really ought to change your password, since this could easily have been fished out of your communications at any point in the last two years.
Additionally, it would be best to avoid things like shared Wi-Fi networks whenever possible as well, since attackers have their best access to your communications when you're sharing a network with them.
But generally, the burden is on Internet companies and not you. That's what makes this so frustrating.
Jeremy Bowers is a software developer on NPR's Visuals team. Reach him or on .
http://www.npr.org/blogs/alltechconsidered/2014/04/08/300602785/the-security-bug-that-affects-most-of-the-internet-explained
No comments:
Post a Comment