360° Coverage : Massive Internet Security Vulnerability. You Are At Risk. What...

2 Updates
Massive Internet Security Vulnerability. You Are At Risk. What You Need To Do.
Photo Credit: Forbes Business

Massive Internet Security Vulnerability. You Are At Risk. What You Need To Do.

Apr 10 2014, 4:32pm CDT | by

Several days ago, after researchers reported a severe Internet security vulnerability, near hysteric articles began to appear in the press – some even recommending that people change all of their...

Filed under: news

 
 
 

27 weeks ago

Massive Internet Security Vulnerability. You Are At Risk. What You Need To Do.

Apr 10 2014, 4:32pm CDT | by

Several days ago, after researchers reported a severe Internet security vulnerability, near hysteric articles began to appear in the press – some even recommending that people change all of their Internet passwords or stay off the Internet altogether. “Facts” were reported incorrectly, and bad ideas have appeared as recommendations; someone following the advice to change all of his passwords might actually put himself at more risk than he was before.

So here’s what you need to know, and what you should – and should not — do:

What happened?

Several days ago, researchers reported a severe vulnerability in OpenSSL – a popular version of the standard SSL technology used by websites to secure web connections for online banking, credit card payments, and other sensitive activities. When you type HTTPS into a web browser (instead of HTTP), or when you otherwise visit a web page that presents a “lock icon” in the browser, you are causing your browser to use SSL to encrypt communications between yourself (the web user) and the web server with which you are communicating. SSL is also used by various mobile apps, and for securing web-based remote access.

At a high level, the programming error that was discovered in OpenSSL means that anyone equipped with the right knowledge and tools – including technologically-sophisticated hackers and criminals – could read encrypted data from the memory of webservers running vulnerable versions of OpenSSL; any data that was transmitted securely – including passwords and credit card numbers – was potentially readable by criminals once it reached the server.

It is estimated that half-a-million sites that were using OpenSSL to ensure the security of data were, in fact, quite insecure.

This is a serious vulnerability. Some might argue that it is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.

How is the problem being addressed?

Even before the vulnerability, now nicknamed HeartBleed, was announced to the public, a “patch” – that is, an update for OpenSSL – was prepared to fix this vulnerability. Responsible organizations that are running OpenSSL have already applied the patch, and their servers are no longer vulnerable.

Impacted organizations are also invalidating and replacing their SSL certificates – the part of the SSL technology that identifies organizations and allows them to encrypt communications — in case the “keys” to those certificates were compromised. This will help ensure that criminals cannot use the certificates to produce phishing sites that appear to browsers to be legitimate.

So why is there still a problem?

There are several issues – and they are not minor:

1. Some parties may not have updated their servers, and may remain vulnerable.

2. The vulnerability has been widespread for over two years. Criminals may have been aware of it, and exploited it, prior to its discovery by researchers and the subsequent issuance of the patch. It is possible, therefore, that criminals may have been reading passwords, credit card numbers, and the like for quite some time.

3. As alluded to above, SSL technology uses a secret “private key” (think of it as a very long password used to “sign” that the party doing the SSL encryption is actually who it claims to be) to prevent criminals from impersonating legitimate businesses online. Criminals accessing memory may have stolen SSL private keys – so they may be able to impersonate legitimate parties online without producing browser warnings. Replacing hundreds of thousands of certificates takes time – so this vulnerability will not disappear immediately. (Interestingly, one of the reasons that I, along with several other people, created Green Armor’s anti-phishing technology nearly a decade ago was to address this type of situation.)

What advice in the media should you ignore?

Several pieces in the media recommend that people not bank online until the dust settles. Besides the fact that many banks don’t use OpenSSL and were never vulnerable to begin with, regressing to banking-in-person is just not going to happen. And how is not banking online going to help for Facebook and other sites that use HTTPS but are not banks? Impractical security advice is a recipe for security breaches./>/>

Others have recommended that people use vulnerability scanners to check all sensitive sites before using them. Is the average person really going to run a vulnerability scanner before banking online from his cellphone?

Some articles recommended that people change all of their passwords. That is a terrible idea for several reasons.

1. When people create many new passwords at one time they are likely to write them down (bad idea), store them in a computer (which, unless they are properly encrypted and the device secured is also a bad idea), or use passwords similar to one another on multiple sensitive sites (bad idea).

2. Since criminals now know about the vulnerability they are certainly scanning for it and seeking to exploit it. If a site has not yet applied the patch and someone changes her password on that site – criminals may obtain her new password. Considering that is unclear that any crooks actually exploited the OpenSSL vulnerability in the past, and, therefore, your existing password might still be secure (as long as you don’t use it now on a vulnerable system), the risk of changing your password in this case may outweigh the benefits.

3. If someone changes her password on a site that is still vulnerable and uses similar passwords on secure sites, she may actually put herself at risk of having her account at the secure sites breached!

So what should I do?

Before performing sensitive tasks over HTTPS:

Check a reputable list of websites that do not run OpenSSL. Mashable published such a list – and many major banks are on it. If a site did not run OpenSSL on any of its equipment in the last few years it was not vulnerable to the current bug. Of course, if you use the same password on a site that was/is vulnerable as you do on a site that is not vulnerable you should change it on the non-vulnerable site ASAP.

If you check the list and find that a site was indeed running OpenSSL – check if the site was patched. Most (if not all) major sites did patch. In that case, it is probably a good idea to change your password on that site ASAP. Be careful, however, not to weaken the strength of your passwords just because you have to update several at the same time, and do not reuse passwords that you use on sensitive sites. Don’t let HeartBleed cause you to create new password risks.

If you find some site that was vulnerable and for some reason has not confirmed that it has patched (and, hopefully, there should not be too many like that) – I would wait to change my password, and, if possible, either check the site myself using one of the reliable tools to do so (e.g., http://filippo.io/Heartbleed/ ) or refrain from using the site until I could confirm that a patch has been applied. As described above, changing your password before the patch is applied could actually worsen the situation.

Be wary of phishing attacks – type in the URL of any sensitive site to which you are going. Do not click links to get there. While I have, in the past, demonstrated methods of using various exploits to impersonate sites that use SSL, those hacks required much more effort than doing so would take for someone who stole a certificate and key. Until all possibly-pilfered SSL certificates are replaced as described above, the potential for real-looking phishing sites is enormous. So be wary.

Hopefully, browser vendors will also add code to warn users accessing sites running vulnerable versions of OpenSSL – so, make sure to keep your browser up to date.

Of course, the above reflects my opinion, and others may feel free to disagree.

Want to be notified of great articles that can benefit you? Follow me on Twitter at @JosephSteinberg

 
Update
2

7 weeks ago

Khazanah throws MAS RM6b lifeline

Aug 29 2014 5:01pm CDT | Source: Business Times Singapore

August 30, 2014 1:15 AMKHAZANAH Nasional will inject RM6 billion (SS$2.4 billion) over three years to resuscitate loss-making Malaysia Airlines (MAS) under a recovery plan that includes even an Act of Parliament. Other key moves are migrating its operations, assets and liabilities to a new company (NewCo) and slashing the workforce of 20,000 by 3 ...
Source: Business Times Singapore   Full article at: Business Times Singapore
 

 
Update
1

7 weeks ago

MAS posts loss of RM307m for Q2

Aug 28 2014 5:00pm CDT | Source: Business Times Singapore

August 29, 2014 1:13 AMMALAYSIA Airlines (MAS) registered a loss of RM307 million (S$122 million) for the second quarter to end-June, but warned of worse to come in the second half when the "full financial impact of the double tragedies of MH370 and MH17" hits ...
Source: Business Times Singapore   Full article at: Business Times Singapore
 

 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Spanish nurse cured of Ebola
Madrid, Oct 21 (Xinhua) Spanish nursing auxiliary Teresa Romero was pronounced cured of the Ebola virus disease according to World Health Organisation (WHO) guidelines after the results of a second test confirmed Tuesday that she no longer had the virus in her blood.
 
 
Clinical trials of Ebola vaccine start Nov 1 in Switzerland
Geneva, Oct 21 (IANS/EFE) The World Health Organisation (WHO) announced Tuesday that it will begin clinical trials Nov 1 in Switzerland of one of the two anti-Ebola vaccines currently under development.
 
 
Colombia to launch world's first floating gas liquefaction plant
Bogota, Oct 21 (IANS/EFE) The world's first floating gas liquefaction plant is due to begin operating next year off the coast of northern Colombia under a pact between Canada-based Pacific Rubiales Energy and Belgian shipbuilder Exmar.
 
 
Paralysed man walks again after pioneering cell therapy
London, Oct 21 (IANS/EFE) A paralysed man has been able to walk again after therapy that involved transplanting cells from his nasal cavity into his spinal cord, the BBC reported Tuesday.
 
 
 

Latest from the Network

1,074 new dengue cases in Chinese province
Beijing, Oct 18 (IANS) China's Guangdong province has reported 1,047 new cases of dengue fever, health authorities said Saturday. Six people have already died in Guangdong -- five in Guangzhou and one in adjacent...
Read more on Business Balla
 
Blake Lively 'always' wanted to be mum
Blake Lively has ''always'' wanted to be a mother. The 27-year-old actress is expecting her first child with husband Ryan Reynolds and she admits she's been dreaming of this moment since she was a youngster. Speaking...
Read more on Celebrity Balla
 
Kris Jenner 'torn apart' by Bruce's new relationship
Kris Jenner feels ''torn apart and angry'' that Bruce Jenner is dating her former assistant. The 58-year-old matriarch split from the 64-year-old Olympic gold medalist last October following 22-years of marriage but is...
Read more on Celebrity Balla
 
Cheryl Fernandez-Versini won't move to France
Cheryl Fernandez-Versini doesn't want to move to her husband's home country of France. The 'X Factor' judge, 31, who comes from Newcastle, is adamant she won't be relocating any time soon to suit her new spouse Jean-...
Read more on Celebrity Balla
 
Lance Bass sets wedding date
Lance Bass has set a date for his wedding. The former *NSYNC singer and his partner Michael Turchin, who have been dating for two-and-a-half years, are to tie the knot on December 20, 2014, a representative for the...
Read more on Celebrity Balla
 
Nepal avalanche toll reaches 39
Kathmandu, Oct 18 (IANS) At least 39 climbers died while hiking on a key Nepali route after it was hit by a major snowstorm and avalanches earlier this week, BBC reported Saturday citing officials. Over 350 stranded...
Read more on Politics Balla
 
Jake Gyllenhaal says society is complicit in 'nightcrawling'
Jake Gyllenhaal says almost everybody in society ought to relate to his new movie 'Nightcrawlers'. The eagerly-awaited film concerns those people who monitor police scanners and then race to crime scenes to film eye-...
Read more on Movie Balla
 
India eves look for first win in AFC U-16 qualifiers
Dhaka, Oct 18 (IANS) India will hope to register their first win of the 2015 Asian Football Confederation (AFC) Under-16 Women's Championship qualifiers when they take on hosts Bangladesh in a crucial encounter at the...
Read more on Sport Balla
 
Moyes mulling return to management
London, Oct 18 (IANS) Former Manchester United manager David Moyes said that he is ready to revive his managerial career six months after being sacked by the 'Red Devils'. "I am ready to return. I have enjoyed the...
Read more on Sport Balla
 
Ebola fears loom over Ghana hosting AFCON
Accra (Ghana), Oct 18 (IANS) The Ghana Medical Association (GMA) cautioned the government Saturday against hosting the 2015 African Cup of Nations (AFCON), despite a request by the Confederation of African Football (...
Read more on Sport Balla