Should you worry about Heartbleed?
The answer to this question is, as always, “it depends”.
If you have had the Internet switched off for the last month you might not have heard of Heartbleed. It was a flaw in the OpenSSL encryption software that secures Internet communications such as email, web sites, instant messaging and virtual private networks (VPNs). I say “was” because patches to the software were issued immediately the problem was identified and all at-risk computers should have been updated by now. The danger was that hackers could capture the content of blocks of RAM, and what they got could contain sensitive or private information.
You might have been unlucky enough to have been approached by some “expert” offering to provide protection, because any threat draws these parasites out into the open, but there is only one thing that most people need to do. I’ll mention it at the bottom of this article, but it’s something everyone should be doing anyway.
The first thing you need to know is that if you are not running a web server yourself or your server is Windows IIS then there is nothing you need to patch to fix things. OpenSSL is used on Linux and some other non-Windows operating systems, and although this represents the majority of the web it’s not a problem unless you are operating the host machine. If you host your company’s web site internally you need to apply the relevant patches to OpenSSL and also check the currency and status of any security certificates that have been installed.
Most Internet users and companies do not host web sites, so what comes next applies to the majority of people reading this.
If you only use the Internet for email and web browsing and never go to any sites that require you to log in with a user name and password there’s not a lot you need to do, although you should consider changing your email password. If all your email is delivered through a corporate mail server like Exchange you have very little to worry about, provided that your company’s IT people have done their jobs. The same applies to your corporate VPN – it is someone else’s job to make it right. Please note that free email services like Outlook.com/Hotmail and Google’s Gmail are “sites that require you to log in with a user name and password”. They are also obvious targets for hackers.
In fairness, I should point out here that the big name sites that require logging in (Facebook, Twitter, Microsoft, Google, Yahoo!, LinkedIn, Apple, Instagram, PayPal, …) were all very quick to issue statements saying that their sites had either not been affected or that they were fully patched.
If your company has a web site you have to rely on the hosting organisation to install the relevant patches. The place hosting the Gebesse site issued a statement to clients saying that all the patches had been installed and reiterated their policy of keeping all software up to date. If you haven’t heard anything from the hosting company by now you need to do two things – email them asking if the patches have been installed, and prepare to move your site to another host if they haven’t.
If you have a secure shop on your site there are two possibilities – you do it all internally or you outsource the shop to a third party. There is not much you can do about an outsourced shop except to email the operator to ask if their OpenSSL and security certificates have been updated. If you manage it internally, as we do at Gebesse, you must update your security certificates. In our case the certificate issuing authority cancelled all certificates and issued new ones. As far as I know all certificate issuers have done this, but it is worth checking.
So, in summary – if you run your own web sites install all the patches and update all certificates, if you outsource your web site check that the people you are paying have done the right thing.
And the one thing that everyone should do? Change your passwords, and this is something you should be doing on a regular (or maybe irregular) basis anyway. There is a reason that your corporate network forces you to change your password occasionally, because the longer you use one the more likely it is to become public knowledge. I know it’s a pain to have to remember lots of different passwords and, like you, I have been guilty of sometimes using the same password in many different places, but it can be managed.
Get yourself a password manager program. I use LastPass (www.lastpass.com), but a Google search will turn up others. LastPass is designed to store passwords for web sites and can generate a random password for every site you need to visit and then log you in when you open the site. It installs itself in all the usual browsers, and versions are available for Android and iOS so you can carry the list with you. The only password you need to remember is the master one for LastPass, you can make that as obscure and unmemorable as you like, and it is secure because LastPass never transmits it as all authentication is carried out at the user end. And, yes, there is a way to reset it if you forget.
And finally – get a good anti-virus program and keep it up to date. It won’t protect you from threats like Heartbleed but there are other things to worry about.