The Heartbleed vulnerability was made public on April 7th and I found a few things about it, and the reaction to it, interesting.
- This XKCD comic has a straight-forward explanation of the vulnerability. The vulnerability can be used to collect random bits of information from a server’s memory. The attacker has no idea what they’ll get.
- Lots of Heartbleed info from Codenomicon (the Finish company that found the vulnerability) is here. (Google also found the vulnerability at about the same time.)
- I don’t need another reason to like LastPass as my password manager, but they gave me one. They put together a tool to look at the websites I use and determine which ones are vulnerable. Then they look at when the vulnerable sites last updated their SSL certificate and compare it to when it was updated to the non-vulnerable OpenSSL version. If the site is no longer vulnerable and the certificate was updated they then looks at my last password change date. If it was changed before the site was fully fixed I’m told to update my password. If the site isn’t fully fixed I’m told to wait.
- The vulnerability was introduced in December 2012 and coincidentally found by two separate researchers in March 2014. It was made public on April 7th. When it was first announced Bruce Schneier, a respected security researcher said “On the scale of 1 to 10, this is an 11.” With more information he’s backed off a bit and posted a nice update with a lot of links to more information. On the This Week In Tech podcast he mentioned that there wasn’t any widespread scanning being done before the public announcement so there probably wasn’t a lot of lost data, But the attacks started quickly after the public announcement.
- It does appear that the vulnerability wasn’t widely exploited (if at all) until it went public April 7th. Seems true, if hard to believe, that it went unnoticed for over a year and then two independent teams found the vulnerability at the same time. (Codenomicon and Google.)
- This is the first vulnerability that came with its own marketing campaign and logo.
Not a bad idea to get people to take the necessary action.
- If you haven’t logged into a website between April 7th and when the website was fixed your password wasn’t taken. The problem is knowing when the websites have been fixed. As mentioned, I’m using LastPass to identify vulnerable sites I use and when they were been fixed. The previously mentioned Bruce Schneier posts include some additional links but they’re tough for the average person to go through. Unfortunately it’s tough to know which scanners can be trusted but this one has been reported as reliable. (But use at your own risk.) I tried a couple scanners and they worked poorly so no other links here.
- In my case most of my financial websites weren’t vulnerable. I don’t know if that means most financial institutions don’t use OpenSSL or I just got lucky.
- There are reports that the NSA knew of this and used it rather than reporting it. They’ve denied it. While I wouldn’t want to rely on NSA’s comments (they lied to congress) it makes sense that they didn’t use this. Based on the past disclosures it seems they have more reliable ways of getting the same information.
- The Canada Revenue Agency reported that over 900 social insurance numbers were taken due to Heartbleed. I was skeptical. Was it Heartbleed or just found when reacting to Heartbleed? But it appears the site was vulnerable for 48 hours after the vulnerability became public. Since the hackers reacted quickly and this would be a high value target it does seem likely. So is the 900 number based on people who accessed the site in that 48 hours. There doesn’t seem to be any way to tell exactly what is taken.
- Luckily I stopped doing my own hosting via on a virtual private server. This is something that would have had me up late updating software and regenerating certificates/keys since I used OpenSSL. Even though I didn’t maintain user accounts all my access to the server used OpenSSL. I liked running my own server but this is something I don’t miss.
Since there’s no way to know if your password was taken it’s probably time to start updating. It’s probably a good idea to change passwords anyway. I use complex password which are unique for the site so I don’t change them on a regular basis. If you don’t use a password manager it’s time to start so you can make all your passwords complex and unique. I prefer LastPass but there are others worth using. Since I don;t have experience with others I can’t recommend any in particular but 1Password and KeePass are frequently recommended by others.