10 Updates
Massive Internet Security Vulnerability. You Are At Risk. What You Need To Do.
Photo Credit: Forbes Business

Massive Internet Security Vulnerability. You Are At Risk. What You Need To Do.

Apr 10 2014, 4:32pm CDT | by

Several days ago, after researchers reported a severe Internet security vulnerability, near hysteric articles began to appear in the press – some even recommending that people change all of their...

Filed under: news

 
 
 

14 weeks ago

Massive Internet Security Vulnerability. You Are At Risk. What You Need To Do.

Apr 10 2014, 4:32pm CDT | by

Several days ago, after researchers reported a severe Internet security vulnerability, near hysteric articles began to appear in the press – some even recommending that people change all of their Internet passwords or stay off the Internet altogether. “Facts” were reported incorrectly, and bad ideas have appeared as recommendations; someone following the advice to change all of his passwords might actually put himself at more risk than he was before.

So here’s what you need to know, and what you should – and should not — do:

What happened?

Several days ago, researchers reported a severe vulnerability in OpenSSL – a popular version of the standard SSL technology used by websites to secure web connections for online banking, credit card payments, and other sensitive activities. When you type HTTPS into a web browser (instead of HTTP), or when you otherwise visit a web page that presents a “lock icon” in the browser, you are causing your browser to use SSL to encrypt communications between yourself (the web user) and the web server with which you are communicating. SSL is also used by various mobile apps, and for securing web-based remote access.

At a high level, the programming error that was discovered in OpenSSL means that anyone equipped with the right knowledge and tools – including technologically-sophisticated hackers and criminals – could read encrypted data from the memory of webservers running vulnerable versions of OpenSSL; any data that was transmitted securely – including passwords and credit card numbers – was potentially readable by criminals once it reached the server.

It is estimated that half-a-million sites that were using OpenSSL to ensure the security of data were, in fact, quite insecure.

This is a serious vulnerability. Some might argue that it is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.

How is the problem being addressed?

Even before the vulnerability, now nicknamed HeartBleed, was announced to the public, a “patch” – that is, an update for OpenSSL – was prepared to fix this vulnerability. Responsible organizations that are running OpenSSL have already applied the patch, and their servers are no longer vulnerable.

Impacted organizations are also invalidating and replacing their SSL certificates – the part of the SSL technology that identifies organizations and allows them to encrypt communications — in case the “keys” to those certificates were compromised. This will help ensure that criminals cannot use the certificates to produce phishing sites that appear to browsers to be legitimate.

So why is there still a problem?

There are several issues – and they are not minor:

1. Some parties may not have updated their servers, and may remain vulnerable.

2. The vulnerability has been widespread for over two years. Criminals may have been aware of it, and exploited it, prior to its discovery by researchers and the subsequent issuance of the patch. It is possible, therefore, that criminals may have been reading passwords, credit card numbers, and the like for quite some time.

3. As alluded to above, SSL technology uses a secret “private key” (think of it as a very long password used to “sign” that the party doing the SSL encryption is actually who it claims to be) to prevent criminals from impersonating legitimate businesses online. Criminals accessing memory may have stolen SSL private keys – so they may be able to impersonate legitimate parties online without producing browser warnings. Replacing hundreds of thousands of certificates takes time – so this vulnerability will not disappear immediately. (Interestingly, one of the reasons that I, along with several other people, created Green Armor ’s anti-phishing technology nearly a decade ago was to address this type of situation.)

What advice in the media should you ignore?

Several pieces in the media recommend that people not bank online until the dust settles. Besides the fact that many banks don’t use OpenSSL and were never vulnerable to begin with, regressing to banking-in-person is just not going to happen. And how is not banking online going to help for Facebook and other sites that use HTTPS but are not banks? Impractical security advice is a recipe for security breaches./>/>

Others have recommended that people use vulnerability scanners to check all sensitive sites before using them. Is the average person really going to run a vulnerability scanner before banking online from his cellphone?

Some articles recommended that people change all of their passwords. That is a terrible idea for several reasons.

1. When people create many new passwords at one time they are likely to write them down (bad idea), store them in a computer (which, unless they are properly encrypted and the device secured is also a bad idea), or use passwords similar to one another on multiple sensitive sites (bad idea).

2. Since criminals now know about the vulnerability they are certainly scanning for it and seeking to exploit it. If a site has not yet applied the patch and someone changes her password on that site – criminals may obtain her new password. Considering that is unclear that any crooks actually exploited the OpenSSL vulnerability in the past, and, therefore, your existing password might still be secure (as long as you don’t use it now on a vulnerable system), the risk of changing your password in this case may outweigh the benefits.

3. If someone changes her password on a site that is still vulnerable and uses similar passwords on secure sites, she may actually put herself at risk of having her account at the secure sites breached!

So what should I do?

Before performing sensitive tasks over HTTPS:

Check a reputable list of websites that do not run OpenSSL. Mashable published such a list – and many major banks are on it. If a site did not run OpenSSL on any of its equipment in the last few years it was not vulnerable to the current bug. Of course, if you use the same password on a site that was/is vulnerable as you do on a site that is not vulnerable you should change it on the non-vulnerable site ASAP.

If you check the list and find that a site was indeed running OpenSSL – check if the site was patched. Most (if not all) major sites did patch. In that case, it is probably a good idea to change your password on that site ASAP. Be careful, however, not to weaken the strength of your passwords just because you have to update several at the same time, and do not reuse passwords that you use on sensitive sites. Don’t let HeartBleed cause you to create new password risks.

If you find some site that was vulnerable and for some reason has not confirmed that it has patched (and, hopefully, there should not be too many like that) – I would wait to change my password, and, if possible, either check the site myself using one of the reliable tools to do so (e.g., http://filippo.io/Heartbleed/ ) or refrain from using the site until I could confirm that a patch has been applied. As described above, changing your password before the patch is applied could actually worsen the situation.

Be wary of phishing attacks – type in the URL of any sensitive site to which you are going. Do not click links to get there. While I have, in the past, demonstrated methods of using various exploits to impersonate sites that use SSL, those hacks required much more effort than doing so would take for someone who stole a certificate and key. Until all possibly-pilfered SSL certificates are replaced as described above, the potential for real-looking phishing sites is enormous. So be wary.

Hopefully, browser vendors will also add code to warn users accessing sites running vulnerable versions of OpenSSL – so, make sure to keep your browser up to date.

Of course, the above reflects my opinion, and others may feel free to disagree.

Want to be notified of great articles that can benefit you? Follow me on Twitter at @JosephSteinberg

 
Update
10

6 weeks ago

RM47mil KWSG contributions still unclaimed

Jun 9 2014 7:54am CDT | Source: Business Times Malaysia

Cambodia's Famous Battambang Circus
KUALA LUMPUR: About RM47 million of contributions in the Teachers Provident Fund (KWSG) still remain unclaimed, the Dewan Rakyat was told ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
9

6 weeks ago

Gold shop lost almost RM1mil

Jun 9 2014 3:50am CDT | Source: Business Times Malaysia

Newcastle United Training Session
KANGAR: A gold shop owner lost almost RM1 million after after the safe on in his shop was broken int ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
8

6 weeks ago

Motion to debate MAS losses in Dewan Rakyat rejected

Jun 9 2014 3:39am CDT | Source: Business Times Malaysia

Federal Aviation Administration Bans All US Flights To Israel
KUALA LUMPUR: AN emergency motion to debate the losses incurred by Malaysia Airlines last year, amounting to RM1.2 billion was rejected ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
7

6 weeks ago

MH370 Tragedy: Hisham: RM27.6 mil spent on 1st phase of SAR

Jun 9 2014 2:11am CDT | Source: Business Times Malaysia

KUALA LUMPUR: Malaysia spent some RM27.6 million in its first phase of the search operations for missing Malaysia Airline flight MH370, said Acting Transport Minister, Datuk Seri Hishammud ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
6

6 weeks ago

9.1m litres of diesel seized in a month

Jun 8 2014 1:11am CDT | Source: Business Times Malaysia

INDIA-CHINA-DIPLOMACY-TRADE
PUTRAJAYA: The Domestic Trade, Cooperatives, and Consumerism ministry has seized some 9.1 million litres of diesel and property worth RM58 million since mounting ‘Operasi Diesel Selatan’ in the southern states la ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
5

6 weeks ago

Girl, 9, awarded RM2.78m compensation for medical negligence

Jun 6 2014 4:56am CDT | Source: Business Times Malaysia

Government Weekly Cabinet Meeting
KUALA LUMPUR: A nine-year-old girl who suffered brain damage during her birth at a government hospital was awarded over RM2.78 million in compensatio ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
4

6 weeks ago

Malaysia's total trade in April up 12pc

Jun 5 2014 11:52pm CDT | Source: Business Times Malaysia

KUALA LUMPUR: Malaysia's total trade in April 2014 rose by 12 per cent from a year ago to RM123.86 billion due to growing trading activities, International Trade and Industry Minister Datuk Seri Mustapa Mohamed sa ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
3

7 weeks ago

Works Ministry to spend RM20m for upgrading works at 50 accident black spots

Jun 4 2014 11:35pm CDT | Source: Business Times Malaysia

Iskandar Johor Open - Previews
JOHOR BARU: The Works Ministry will implement upgrading works at 50 accident prone locations in the country that have been identified this year involving an allocation of RM20 mi ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
2

7 weeks ago

Najib launches loan scheme for Ramadan traders

Jun 4 2014 10:24pm CDT | Source: Business Times Malaysia

EurAsia Cup presented by DRB-HICOM - Day One
PUTRAJAYA: Prime Minister Datuk Seri Najib Razak today launches RM45 million Ramadan Bazaar Scheme ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
1

7 weeks ago

Residents bring up objection against Kidex to Suhakam

Jun 4 2014 4:49am CDT | Source: Business Times Malaysia

PETALING JAYA: A group of 20 Petaling Jaya residents held a meeting with the Human Rights Commission of Malaysia (Suhakam) over their objection against the proposed RM2.2 billion Kinrara Damansara Skyway (K ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

OPEC daily basket price closes lower
Vienna, July 24 (IANS) The basket of 12 crude oils of the Organization of Petroleum Exporting Countries (OPEC) stood at $105.30 a barrel Wednesday, against $105.74 Tuesday, according to the OPEC Secretariat.
 
 
Pakistan denies breaching Kashmir truce
Islamabad, July 24 (IANS) Pakistan Thursday denied New Delhi's allegations that its military was violating the ceasefire in Jammu and Kashmir in a bid to push militants into the Indian state.
 
 
Husband makes wife's 'sexual rejection' list
London, July 24 (IANS) Next time when you refuse sex to your husband, hide all papers first. A man has prepared a 'sexual rejection' spreadsheet - in three columns - jotting down excuses his wife made over a course of six weeks.
 
 
Algerian plane with 119 on board missing
Algiers, July 24 (IANS) An aircraft belonging to Algeria's national airline, Air Algerie, with 119 people on board, disappeared early Thursday, 50 minutes after takeoff from Ouagadougou Airport in Burkina Faso, media reported.
 
 
 

Latest from the Network

India women beat Canada 4-2 in CWG hockey
Glasgow, July 24 (IANS) The Indian women's hockey team beat Canada 4-2 in the opening match of the Commonwealth Games here Thursday. The match started in high momentum with both teams going on the attack immediately....
Read more on Sport Balla
 
Google, Apple And Facebook Are In The Clear. So Why The Angst?
When Google reported its earnings last week eMarketer ran an article that showed how Google along with Facebook accounted for over 72% of the increased ad spend in mobile in 2013, and that they were going to surpass...
Read more on Apple Balla
 
Why Are Stocks Still Rising? Is This A Bubble?
Investors often ask me, “why is the stock market still going up after five years?” They think it must mean ‘prosperity is ahead.’ Actually, it’s largely due to financial engineering: stock buybacks. It’s important to...
Read more on Apple Balla
 
CWG: Indian judoka Chana settles for silver
Glasgow, July 24 (IANS) Indian judoka Navjot Chana had to settle for the silver medal after he lost the final bout of the men's -60kg category to England's Ashley McKenzie in the 2014 Commonwealth Games at the Scottish...
Read more on Sport Balla
 
Ford Plans to Tap Africa, Middle East Market
Ford Motors has outlined an aggressive plan to accelerate the activities of its newest business unit, the Middle East and Africa. Leveraging its One Ford Global Portfolio, the company will launch at least 25 new...
Read more on Auto Balla
 
Shushila wins India's third medal at CWG
Glasgow, July 24 (IANS) Judoka Shushila Likmabam won India its third medal on the opening day of the 20th Commonwealth Games, settling for the silver in the final of the women's -48kg category here Thursday. Kimberley...
Read more on Sport Balla
 
WTF of the week: Apple could be ‘obsolete’ in 2-3 years
At some point in the future, Apple will no longer be the consumer technology giant it is today. It will become obsolete. Its products will no longer be trendy. Other companies will innovate and drive Apple out of...
Read more on Apple Balla
 
CWG: Weightlifters Sanjita wins gold, Mirabai silver for India
Glasgow, July 24 (IANS) India opened its medal count in CWG with Manipuri girls Sanjita Khumukcham and Mirabai Chanu Saikhom winning the gold and silver, respectively, in the women's 48kg category of weightlifting...
Read more on Sport Balla
 
Here’s yet another way the iPhone 6 is messing with Samsung
Samsung has already started making fun in a TV commercial of the unreleased iPhone 6, telling potential buyers that its Android handsets had bigger displays for quite a while in an obvious attempt to kill the iPhone 6...
Read more on Apple Balla
 
By The Numbers: How Many iPhone 6's Is Apple Planning To Sell
It has been well publicized from a Wall Street Journal article that Apple has asked its suppliers to build between 70 to 80 million iPhone 6’s by the end of the year vs. the 50 to 60 million that were planned for last...
Read more on Apple Balla