Heartbleed is out there...Here's what you need to know and do now...

A message from your friendly neighborhood Information Security Manager:  

Unless you’ve been living in a cave, you’ve probably been hearing a lot about the “Heartbleed” bug on the Internet.  While users are generally oblivious to these sorts of notices, here’s why you need to be paying attention to this one…

What is Heartbleed?  Heartbleed is a bug that has made servers that utilize OpenSSL encryption vulnerable to attack.

Why is it an issue?  The issue lies in the fact that the vulnerability has made the recovery of user credentials a trivial exercise for hackers.  Reputable sources estimate that approximate 20-60% of all websites may have been exposed.   A report from Kaspersky Lab indicates there is evidence that there are cyber espionage groups running scans.

What web sites are affected?   According to tech website Mashable, several major banks are not affected because they do not use OpenSSL encryption software. The website released a list of major sites that were infected by the heartbleed bug and have since been updated, including Facebook, Pinterest, Tumblr, Gmail, Yahoo, Amazon and Dropbox.

When was this discovered?  Evidence of the bug surface on Monday, April 7, 2014

How is it fixed?  Administrators of affected servers must both patch each individual server as well as obtain new digital certificates from a certificate authority.

What can I do about it?  Contrary to some reports, changing your password now will not bring you any extra security unless the server has been patched.  And tools have popped up and purport to help you “test” web sites have also been identified as having malware.   Your best bet is to avoid logging in to services for the next week or so, after which you should then log in and change your password that is complex.  In the event you receive a message from what appears to be a service you use, go to the web site directly--without clicking on links in messages to be on the safe side.

How should I manage my passwords? 

·      Never, ever, ever, write your passwords down or share them with anyone.  Not with family, friends, or with the HelpDesk Admin guy at your job.  No one.

·      Don’t use the password cache functions inherent in popular browsers.  Sure, most use the latest encryption algorithms, but anyone who has access to your machine will also have access to your accounts.

·      Don’t use the same passwords for multiple sites.  It’s like having the same key to every door, car, suitcase, and storage area you have access to.  A better way is to obtain a password vault from a reputable source such as CNET—don’t worry, this software is free (search: “free password safe”).  A good password vault will also have a utility for creating distinct, complex passwords for the sites you visit.

·      Create a master password that is complex.  Should be (at least) 12 characters in length, have upper & lower case letters, numbers, and special characters if the site allows.  Store all other passwords in your vault.

·      If the site offer multi-factor authentication—requiring you to enter a code from a token or from your mobile phone—use it!

How do I create a complex password?

Simple passwords—particularly those using words from the dictionary, sports teams, pet’s names, etc.—are easy to crack.  Do yourself a favor and get in the habit of using a complex password.  Here’s how…

1.     Start with a phrase you can remember easily:  “The Range Rover Sport and Jaguar XF are my two favorite cars.”

2.     Take the first letter of each of those words:  TRRSAJXAMTFC

3.     Make the password case sensitive: TRRSaJXamtfc

4.     Add complexity by incorporating numbers and special characters:  TRRS&JXam2fc!

5.     You can add additional complexity by padding your passwords with a prefix or suffix of characters.  For instance, you could use your graduation year, but hold the shift key.  1983 à !(*#  Which now gives you TRRS&JXam2fc!+!(*# 

Peace,
+THINKER