Heartbleed: There’s Always a Fee Behind Free

We all enjoy the luxury of checking off our to-do lists from the comforts of home.  Why make a stop by the bank when you can just log in and make that transfer from your laptop?  Who wants to go by the mall when you can find the exact size and color of that new jacket you want with just a little browsing on your iPad?  One click and it’s on its way to your doorstep.  All you have to do is make sure that little padlock is showing and you know you can securely share your personal information, right?

Until recently, I felt that sense of security, too.  I’ve taken (more than) reasonable steps to secure my information, so I pretty much order online whenever I want without giving it a second thought.

Until recently… and then came “Heartbleed”.

Here’s what bothers me: Essentially, ONE PERSON  (one volunteer!) is in charge of maintaining the software that guarantees that https: (secure, encrypted SSL) messages sent between users and servers are free from prying eyes.  (In case you missed my original blog post when the Heartbleed Bug story broke, check it out for some important ways you should protect yourself.)

Here’s the background information in a nutshell.  That little lock symbol indicates that SSL (Secure Sockets Layer) is in place.  SSL is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook).  SSL allows sensitive information such as credit card numbers, Social Security numbers, and login credentials to be transmitted securely.  It is implemented by something called the OpenSSL Project, which is a collaborative effort to develop commercial-grade open source (free) software.

Sounds good, right?  Free software (used by approximately 2/3 of commercial websites!), managed by volunteers who just want to make our world a safer place.  What’s not to like?  Except, as often proves to be the case, you get what you pay for Which for most users, is nothing.  The group’s founder, Steve Marquess says they do get just under $1 million from corporate contracts, but that is earmarked for company-specific work and in 2013, the group got just $2,000 for upkeep.  So the volunteer team at the OpenSSL Foundation didn’t catch the Heartbleed Bug because there aren’t enough of them to monitor it.  Marquess says only one person works solely on the software. “Everyone else has outside obligations,” he says.

In a related story, there is also speculation that the National Security Agency (NSA-yes, them again!) has actually known about and exploited this flaw for at least two years.  The NSA was able to obtain passwords and other basic data, and by not revealing this flaw, millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.  It is unclear whether anyone other than the U.S. government might have exploited the flaw before it was made public.

Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. But, experts say the NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers while Open Source projects depend on the integrity of underfunded researchers to protect us from them.

The bright side of this for OpenSSL (and ultimately for us as consumers) is that they have received about $10,000 in donations since this story broke. In the meantime, OpenSSL’s weakness and the Heartbleed Bug could be leading to years worth of data breaches. Make sure you contact your security team to patch all related software inside of your organization.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

How to Keep the Heartbleed Bug from Hacking Your Bank Account

My guess is that you feel pretty comfortable banking online, at least from your computer, if not yet on your mobile device. I do too, despite all of the hackers out there trying to intercept our bank account numbers and passwords. Most of us are at ease because of the little lock symbol that appears before the URL when we visit our bank (or Gmail, Yahoo, and so forth). That lock symbol means that our communication is encrypted (digitally scrambled) by a standard called OpenSSL. Over time, SSL has proven to be relatively safe.

Just this week, however, it was discovered that OpenSSL was hacked using a vulnerability known as the Heartbleed Bug. Jeremy Bowers, as interviewed on NPR, put eloquently (emphasis mine):

On March 14, 2012, someone introduced a bug that would allow an attacker to get the “crown jewels,” the encryption keys used to protect your communications directly from the companies themselves. With those keys, an attacker could eavesdrop on your communications with that company and/or impersonate that company, making it possible for them to harvest things like credit card numbers or passwords with relative ease.

This attack isn’t theoretical, it’s already been proven to work on Yahoo. In other words, this is a successful attack on one of the most trusted, previously secure aspects of the internet. It’s like finding out that the combination for the vault at your bank has been available to everyone on the internet for the past two years.

For more background on the problem, listen to the NPR piece above. I’d rather discuss immediate steps you should take to minimize the risk that your passwords are being hacked.

How do I protect myself against the Heartbleed Bug?

  1. It sounds alarmist, but I probably wouldn’t bank online in the next few days. If you can avoid it, do so. Bank by phone or in person, where possible. Remember, all the data thief needs to do is to watch you log into your bank account once. Give your bank time to catch up and patch up the security flaw.
  2. In the meantime, you need to change your passwords TWICE on any website that houses your sensitive personal information. You should change it right now (in case your financial institution was compromised over the last two years) and in a week or two, when your institution has installed the security patches that eliminate Heartbleed (understanding that if the website is still at risk, even if you change your password today, it could still be intercepted tomorrow, prior to them fixing the problem).
  3. Recognize that any passwords you entered over the past two years could be at risk, including those you use for banking, webmail, social media and any other online accounts. This does not just affect banking passwords.
  4. The Heartbleed Bug is so new than many banks and corporations haven’t yet had time to patch or fix the bug. Therefore, changing your password before they have made the security updates is only one step of several. There is a Heartbleed Bug Test that will give you some assurance that your bank or financial provider has solved the problem. We haven’t independently verified the test site, but it comes well recommended. You can also visit your bank’s website or call them to find out if they have solved the problem.
  5. If you are confident that they have taken proper steps to eliminate the problem, log on to your financial provider and change your password. Make sure that it is long, strong, alpha-numeric-symbol based and that you vary it between sites (learn more about strong passwords in Privacy Means Profit).
  6. Regardless of what your financial institution says, change your password frequently over the next few weeks, and from that point on (I recommend once a month).
  7. For added layers of protection, implement two-step logins (also known as two-factor authentication, which I explain here.
  8. Check back here for updates.

John Sileo helps corporations make security stick, so that it works. Watch him engage an audience, interview on the Rachael Ray Show or hear from his satisfied clients, including the Pentagon, Visa and the University of Massachusetts.