10 Updates
Massive Internet Security Vulnerability. You Are At Risk. What You Need To Do.
Photo Credit: Forbes Business

Massive Internet Security Vulnerability. You Are At Risk. What You Need To Do.

Apr 10 2014, 4:32pm CDT | by

Several days ago, after researchers reported a severe Internet security vulnerability, near hysteric articles began to appear in the press – some even recommending that people change all of their...

Filed under: news

 
 
 

15 weeks ago

Massive Internet Security Vulnerability. You Are At Risk. What You Need To Do.

Apr 10 2014, 4:32pm CDT | by

Several days ago, after researchers reported a severe Internet security vulnerability, near hysteric articles began to appear in the press – some even recommending that people change all of their Internet passwords or stay off the Internet altogether. “Facts” were reported incorrectly, and bad ideas have appeared as recommendations; someone following the advice to change all of his passwords might actually put himself at more risk than he was before.

So here’s what you need to know, and what you should – and should not — do:

What happened?

Several days ago, researchers reported a severe vulnerability in OpenSSL – a popular version of the standard SSL technology used by websites to secure web connections for online banking, credit card payments, and other sensitive activities. When you type HTTPS into a web browser (instead of HTTP), or when you otherwise visit a web page that presents a “lock icon” in the browser, you are causing your browser to use SSL to encrypt communications between yourself (the web user) and the web server with which you are communicating. SSL is also used by various mobile apps, and for securing web-based remote access.

At a high level, the programming error that was discovered in OpenSSL means that anyone equipped with the right knowledge and tools – including technologically-sophisticated hackers and criminals – could read encrypted data from the memory of webservers running vulnerable versions of OpenSSL; any data that was transmitted securely – including passwords and credit card numbers – was potentially readable by criminals once it reached the server.

It is estimated that half-a-million sites that were using OpenSSL to ensure the security of data were, in fact, quite insecure.

This is a serious vulnerability. Some might argue that it is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.

How is the problem being addressed?

Even before the vulnerability, now nicknamed HeartBleed, was announced to the public, a “patch” – that is, an update for OpenSSL – was prepared to fix this vulnerability. Responsible organizations that are running OpenSSL have already applied the patch, and their servers are no longer vulnerable.

Impacted organizations are also invalidating and replacing their SSL certificates – the part of the SSL technology that identifies organizations and allows them to encrypt communications — in case the “keys” to those certificates were compromised. This will help ensure that criminals cannot use the certificates to produce phishing sites that appear to browsers to be legitimate.

So why is there still a problem?

There are several issues – and they are not minor:

1. Some parties may not have updated their servers, and may remain vulnerable.

2. The vulnerability has been widespread for over two years. Criminals may have been aware of it, and exploited it, prior to its discovery by researchers and the subsequent issuance of the patch. It is possible, therefore, that criminals may have been reading passwords, credit card numbers, and the like for quite some time.

3. As alluded to above, SSL technology uses a secret “private key” (think of it as a very long password used to “sign” that the party doing the SSL encryption is actually who it claims to be) to prevent criminals from impersonating legitimate businesses online. Criminals accessing memory may have stolen SSL private keys – so they may be able to impersonate legitimate parties online without producing browser warnings. Replacing hundreds of thousands of certificates takes time – so this vulnerability will not disappear immediately. (Interestingly, one of the reasons that I, along with several other people, created Green Armor ’s anti-phishing technology nearly a decade ago was to address this type of situation.)

What advice in the media should you ignore?

Several pieces in the media recommend that people not bank online until the dust settles. Besides the fact that many banks don’t use OpenSSL and were never vulnerable to begin with, regressing to banking-in-person is just not going to happen. And how is not banking online going to help for Facebook and other sites that use HTTPS but are not banks? Impractical security advice is a recipe for security breaches./>/>

Others have recommended that people use vulnerability scanners to check all sensitive sites before using them. Is the average person really going to run a vulnerability scanner before banking online from his cellphone?

Some articles recommended that people change all of their passwords. That is a terrible idea for several reasons.

1. When people create many new passwords at one time they are likely to write them down (bad idea), store them in a computer (which, unless they are properly encrypted and the device secured is also a bad idea), or use passwords similar to one another on multiple sensitive sites (bad idea).

2. Since criminals now know about the vulnerability they are certainly scanning for it and seeking to exploit it. If a site has not yet applied the patch and someone changes her password on that site – criminals may obtain her new password. Considering that is unclear that any crooks actually exploited the OpenSSL vulnerability in the past, and, therefore, your existing password might still be secure (as long as you don’t use it now on a vulnerable system), the risk of changing your password in this case may outweigh the benefits.

3. If someone changes her password on a site that is still vulnerable and uses similar passwords on secure sites, she may actually put herself at risk of having her account at the secure sites breached!

So what should I do?

Before performing sensitive tasks over HTTPS:

Check a reputable list of websites that do not run OpenSSL. Mashable published such a list – and many major banks are on it. If a site did not run OpenSSL on any of its equipment in the last few years it was not vulnerable to the current bug. Of course, if you use the same password on a site that was/is vulnerable as you do on a site that is not vulnerable you should change it on the non-vulnerable site ASAP.

If you check the list and find that a site was indeed running OpenSSL – check if the site was patched. Most (if not all) major sites did patch. In that case, it is probably a good idea to change your password on that site ASAP. Be careful, however, not to weaken the strength of your passwords just because you have to update several at the same time, and do not reuse passwords that you use on sensitive sites. Don’t let HeartBleed cause you to create new password risks.

If you find some site that was vulnerable and for some reason has not confirmed that it has patched (and, hopefully, there should not be too many like that) – I would wait to change my password, and, if possible, either check the site myself using one of the reliable tools to do so (e.g., http://filippo.io/Heartbleed/ ) or refrain from using the site until I could confirm that a patch has been applied. As described above, changing your password before the patch is applied could actually worsen the situation.

Be wary of phishing attacks – type in the URL of any sensitive site to which you are going. Do not click links to get there. While I have, in the past, demonstrated methods of using various exploits to impersonate sites that use SSL, those hacks required much more effort than doing so would take for someone who stole a certificate and key. Until all possibly-pilfered SSL certificates are replaced as described above, the potential for real-looking phishing sites is enormous. So be wary.

Hopefully, browser vendors will also add code to warn users accessing sites running vulnerable versions of OpenSSL – so, make sure to keep your browser up to date.

Of course, the above reflects my opinion, and others may feel free to disagree.

Want to be notified of great articles that can benefit you? Follow me on Twitter at @JosephSteinberg

 
Update
10

7 weeks ago

RM47mil KWSG contributions still unclaimed

Jun 9 2014 7:54am CDT | Source: Business Times Malaysia

KUALA LUMPUR: About RM47 million of contributions in the Teachers Provident Fund (KWSG) still remain unclaimed, the Dew ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
9

7 weeks ago

Gold shop lost almost RM1mil

Jun 9 2014 3:50am CDT | Source: Business Times Malaysia

KANGAR: A gold shop owner lost almost RM1 million after after the safe on in his shop was broken into by ro ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
8

7 weeks ago

Motion to debate MAS losses in Dewan Rakyat rejected

Jun 9 2014 3:39am CDT | Source: Business Times Malaysia

KUALA LUMPUR: AN emergency motion to debate the losses incurred by Malaysia Airlines last year, amounting to RM1.2 billion was rejected by the ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
7

7 weeks ago

MH370 Tragedy: Hisham: RM27.6 mil spent on 1st phase of SAR

Jun 9 2014 2:11am CDT | Source: Business Times Malaysia

KUALA LUMPUR: Malaysia spent some RM27.6 million in its first phase of the search operations for missing Malaysia Airline flight MH370, said Acting Transport Min ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
6

7 weeks ago

9.1m litres of diesel seized in a month

Jun 8 2014 1:11am CDT | Source: Business Times Malaysia

PUTRAJAYA: The Domestic Trade, Cooperatives, and Consumerism ministry has seized some 9.1 million litres of diesel and property worth RM58 million since mounting ‘Operasi Diesel Selatan’ in the southern states last month. ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
5

7 weeks ago

Girl, 9, awarded RM2.78m compensation for medical negligence

Jun 6 2014 4:56am CDT | Source: Business Times Malaysia

KUALA LUMPUR: A nine-year-old girl who suffered brain damage during her birth at a government hospital was awarded over RM2. ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
4

7 weeks ago

Malaysia's total trade in April up 12pc

Jun 5 2014 11:52pm CDT | Source: Business Times Malaysia

KUALA LUMPUR: Malaysia's total trade in April 2014 rose by 12 per cent from a year ago to RM123.86 billion due to growing trading activities, International Trade and Industry Minister Datuk Seri M ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
3

7 weeks ago

Works Ministry to spend RM20m for upgrading works at 50 accident black spots

Jun 4 2014 11:35pm CDT | Source: Business Times Malaysia

JOHOR BARU: The Works Ministry will implement upgrading works at 50 accident prone locations in the country that have been identified this year involving an allocation of RM20 ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
2

7 weeks ago

Najib launches loan scheme for Ramadan traders

Jun 4 2014 10:24pm CDT | Source: Business Times Malaysia

PUTRAJAYA: Prime Minister Datuk Seri Najib Razak today launches RM45 million Ramadan Bazaar Scheme 2 ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 
Update
1

7 weeks ago

Residents bring up objection against Kidex to Suhakam

Jun 4 2014 4:49am CDT | Source: Business Times Malaysia

PETALING JAYA: A group of 20 Petaling Jaya residents held a meeting with the Human Rights Commission of Malaysia (Suhakam) over their objection against the proposed RM2.2 billion Kinrar ...
Source: Business Times Malaysia   Full article at: Business Times Malaysia
 

 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Green spaces impact birth weight positively
London, July 29 (IANS) Where expecting mothers live can also have a bearing on the birth weight of their babies as researchers have found that mothers who live near green spaces deliver babies with significantly higher birth weights.
 
 
What makes you a pessimist?
London, July 29 (IANS) Cannot see thing turning out to be all right? A hyperactive habenula, half the size of a pea in the brain that tracks predictions about negative events, could be the key, a study suggests.
 
 
Russian space 'sex geckos' are safe for now
Moscow, July 29 (IANS) There is good news for the geckos aboard the Russian Foton-M4 space satellite meant to study the effects of microgravity on sex and reproduction.
 
 
This is why dogs sniff each other's butts
New York, July 29 (IANS) You may have witnessed this scene on the road quite often but the answer to why dogs sniff each other's butts is hidden in the chemical communication at the rear end.
 
 
 

Latest from the Network

Shuttlers Srikanth, Gurusaidutt reach Round of 32
Glasgow, July 30 (IANS) Indian shuttlers Kidambi Srikanth and R.M.V. Gurusaidutt won their respective matches to enter the men's singles Round of 32 at the Commonwealth Games here Tuesday. Rising star Srikanth had an...
Read more on Sport Balla
 
India in trouble as England bowlers heap more misery (Roundup)
Southampton, July 29 (IANS) India found themselves in deep trouble, trailing England by 246 runs but but more importantly needing 47 more runs to avoid a follow-on with only two wickets in hand at the end of day three...
Read more on Sport Balla
 
Indian shooters bring home five more medals (Shooting Roundup)
Glasgow, July 30 (IANS) Trigger happy Indian shooters had a gala outing at the Commonwealth Games here Tuesday as they brought in five more medals -- two silvers and three bronzes -- from their respective events with...
Read more on Sport Balla
 
Onerous twin task for India (Analysis)
Southampton, July 29 (IANS/RAY) India have an onerous twin task of having to compile runs and consume time to save the 3rd Test match to maintain their 1-0 lead in the five-Test series. England's first innings total...
Read more on Sport Balla
 
Scoreboard: India vs England, day 3, third Test
Southampton, July 29 (IANS) The following is the day three scoreboard of the third cricket Test between India and England at The Rose Bowl here Tuesday: England (first innings 569/7 declared) India (first innings,...
Read more on Sport Balla
 
100 more killed in Gaza as truce offer hangs in balance (Roundup)
Gaza, July 29 (IANS/EFE) At least 100 Palestinians were killed Tuesday in the heaviest air and ground bombardment by Israeli forces on the Gaza Strip since the launch of Operation Protective Edge July 8 as an...
Read more on Politics Balla
 
India 323/8 in first innings at stumps
Glasgow, July 29 (IANS) India were 323 for eight in the first innings at stumps on the third day of the third cricket Test against England at The Rose Bowl here Tuesday. India skipper Mahendra Singh Dhoni was batting...
Read more on Sport Balla
 
Indian medal winners at 2014 Commonwealth Games
Glasgow, July 29 (IANS) The following is the list of Indian medal winners at the 20th Commonwealth Games: Gold Sanjita Khumukchan: women's 48 kg weightlifting Sukhen Dey: men's 56 kg weightlifting Abhinav Bindra: men'...
Read more on Sport Balla
 
Indian wrestler Tomar settles for silver
Glasgow, July 29 (IANS) Indian wrestler Rajeev Tomar lost the men's 125kg freestyle final match to Canada's Korey Jarvis and settled for the silver medal in the 2014 Commonwealth Games at the Scottish Exhibition and...
Read more on Sport Balla
 
Ashwini fails to enter women's 400m hurdles finals
Glasgow, July 29 (IANS) Indian athlete Ashwini Akkunji failed to qualify for the women's 400 metres hurdles final at the Commonwealth Games here Tuesday. The 26-year-old Ashwini could only manage to finish fifth out...
Read more on Sport Balla