Heartbleed: What it is and how to be safer.

There’s a nasty little bug out there dubbed Heartbleed.

Yes, it is a thing and it could impact you. In fact, it’s estimated that over two-thirds of the web has already been affected in some way.

So, what is Heartbleed?

Essentially, it allows third parties to see your information by eavesdropping on websites and accounts.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Heartbleed was discovered a few months ago (by Google researcher Neel Mehta and the security firm Codenomicon) about two years after it had been introduced into the public domain, giving Blackhat hackers quite some time to gather information. The alert on it has been recently released to the public. While sites (like Google) are scrambling to patch any possible security flaws, there are things you can do to be safer on the web.

In What Users Can Do About the Massive Internet ‘Heartbleed’ Threat: Not Much, it’s made very clear:

“There is nothing users can do to fix their computers. They have to rely on the administrators of the websites they use,” said Mikko Hypponen, chief research officer with security software maker F-Secure of Helsinki.

Security expert Bruce Schneier says

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it.
“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.

Your computer is not infected, it’s the web, so until proper fixes are applied take measures to navigate it more safely.

Know the enemy. 
Take ten minutes out of your day to understand, in simple language, what Heartbleed is and how it works. You can learn more by visiting the site Heartbleed Bug. Please read Why Heartbleed is the most dangerous security flaw on the web to get an idea of what you’re dealing with and how it effects you and the web at large.

Passwords aren’t enough. 

Heartbleed is a good reminder that passwords alone aren’t enough security. However, if you haven’t changed your passwords already, I recommend you do so once you know the site’s server has been updated with the proper fixes. In fact, I would recommend changing your passwords seasonally for better security. Never use the same password on two accounts that matter and consider using a two-step sign-in process when offered.

Log out. 

When you’ve finished business in your account, log out. This way your account isn’t open and idle, making itself an easier target. 

Check a site.
If you have concerns about a site you may want to visit or visit regularly, you can check any site at the Heartbleed Test and it will tell you if it is known to be infected. 
Arm your browser. 
If you’re using a chromium-based browser like DragonIron or Google Chrome, add this handy little extension called Chromebleed to alert you to affected sites. At this time, gecko-based browsers like Firefox or CometBird, do not have such an extension but I can only imagine one will be out shortly. It’s not official, but here’s an extension to use in Firefox and Gecko-based browsers.

Watch your financial statements. 

Many of us make purchases online. Attackers can access a server’s memory for banking and payment information, so it may be a good idea to lookout for unfamiliar charges on statements.

If anyone has questions, please use the blog form to reach us privately or leave a comment below and we’ll do our best to assist you. Watch this page. Updates will be made as we get them.

Stay safer and be good to yourselves and each other.

Gen Xavier,
GenXMedia

Note: Administrators can read the EFF’s recommendations in David Grant’s The Bleeding Hearts Club: Heartbleed Recovery for System Administrators.

——————————————————————
UPDATES:

Which sites have patched the Heartbleed bug?
A list of the top 100 sites across the Web, live and constantly updated, to see if the Heartbleed bug was patched.
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

Heartbleed: How It Works
http://securitywatch.pcmag.com/hacking/322533-heartbleed-how-it-works

For the ultra-security conscious, here’s Tor’s advice on Heartbleed: “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

Google spokeswoman Dorothy Chou told Reuters: “We fixed this bug early and Google users do not need to change their passwords.”
Little Internet users can do to thwart ‘Heartbleed’ bug
http://www.reuters.com/article/2014/04/10/us-cybersecurity-internet-bug-idUSBREA3804U20140410
[Note: I would advise after Google announces all fixes have been properly applied to all of its services to change the password. This seems especially critical since Google now forces most users to log into its services, including Blogger and YouTube, using one Google identity. The Chromebleed extension is currently announcing Blogger, Google’s blog service, may still be vulnerable at 5:21 AM EST. Please wait for all patches to be properly applied before changing your password(s) to Google services. – Gen]

[Note: Are you a Yahoo user? Once you know Yahoo has been completely updated with the proper fixes, I suggest you change the password on any and all services you use there. – Gen]
“We were able to scrape a Yahoo username & password via the Heartbleed bug,” tweeted Ronald Prins of security firm Fox-IT, showing a censored example.
‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords
http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

GitHub user Mustafa Al-Bassam performed a mass scan for vulnerable sites at 16:00 UTC (noon US eastern time) on April 8th. It features over 10,000 websites, and he found that 627 of them were vulnerable to the bug. Yahoo sites (including email and Tumblr) were vulnerable, as was the popular dating site OkCupid.
See list here https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

Half a million widely trusted websites vulnerable to Heartbleed bug
http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
Note: this also allows you to check a site.

A Canadian reader writes “The day I go to file taxes and Canada Revenue is shut down because of heartbleed LMAO” 


Not just servers hit by OpenSSL’s Heartbleed – your PC and phone may be vulnerable too
http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/

Why Heartbleed Is the Ultimate Web Nightmare
http://mashable.com/2014/04/09/heartbleed-nightmare/

There’s nothing you can do about the past
In the wake of the Heartbleed disclosure, system administrators have been scurrying to secure their systems, revoke certificates, check for other patches and change login data.
What these admins cannot do, however, is go back in time and prevent any person (or organization) who may have taken advantage of this vulnerability to access information not intended for them.
Even scarier, it’s not even clear that it’s possible to tell if anyone bypassed the vulnerability in the past. In other words — patching a system today is great — but that can’t prevent any silent destruction that has already happened.

[Note: Don’t panic. No one knows what (if any) data has been acquired and we can’t do anything about the past. However, we can take the measures highlighted in this article to move forward and be more security-minded. – Gen]

12 thoughts on “Heartbleed: What it is and how to be safer.

  1. Heartbleed scares the hell out of me – it's been out for over 2 years and eaten 2/3 of the web. Thanks for this, will read those links and do as you suggest. Which do you like better, Chrome or Iron? I'm on W7 and I'll be switching ASAP as per your recommendation.

    #OpSafeWinter Kate

  2. Thank you for not scaremongering like so many media outlets and sites have done just to increase their own traffic.

    Thank you for telling us the truth and pointing us to reliable sources of information.

    Thank you for letting us know, in simple terms, what we can do keep ourselves safer.

    This is why I tune in to this blog regularly. You give me everything I need to stay aware, be entertained, think, enjoy and better my life.

    Thank you Gen X Media.

  3. Hello, Kate.

    Thank you for your ongoing efforts to help the homeless, displaced, hungry and struggling men, women, children and pets though #OpSafeWinter. Winter may be over but the hardship is not. I hope everyone gets involved so we can wipe poverty off the map, one person at a time.

    For more information on #OpSafeWinter
    https://opsafewinter.org/
    https://twitter.com/OPSafeWinter
    http://genxpose.blogspot.com/2014/01/opsafewinter-just-one-moment.html
    http://www.dailydot.com/news/op-safe-winter-anonymous/

    As for which browser…

    Either will work well on Windows 7. I recommend clicking the links for Dragon and Iron above in the article, reading about each browser and deciding which best suits your needs. However, if you're asking me personally, I'd choose Iron for Windows 7 and Dragon for Vista.

    If you're not familiar with chromium-based browsers, cut and paste the extension link into Iron or Dragon and click the ADD button. The Chromebleed icon should appear in the upper right corner of the browser and it will alert you when a site is infected.

    When I have updates (other tools or news) I'll post them to this article.

    All the best,

    Gen

  4. Good morning from Herefordshire.

    The Helper Kitten is definitely helping. Thank you for this timely update. I've been seeing this all over the news but I don't always understand what's being said. I'll take the clear advice you've given and stay off all but main or necessary sites for a few days as well until more patches have had the opportunity to be installed.

  5. Popular sites which exhibit support for the TLS heartbeat extension include Twitter, GitHub, Yahoo, Tumblr, Steam, DropBox, HypoVereinsbank, PostFinance, Regents Bank, Commonwealth Bank of Australia, and the anonymous search engine DuckDuckGo.

    DuckDuckGo <<<<< is safe. You heard it here first. It doesn't try to consume and eat you raw like Google does.

  6. You and Carlos and Edward have to be exhausted dealing with this for days now. Thanks for explaining it and letting us know what we can do and when.

    Ron 🙂

  7. Thanks so much for this Gen! I'll get chrome started up and do my surfing there until Firefox gets their extension.

    As always, a great article.

    Carlotta

  8. Carlotta, the unofficial Firefox/Gecko extension is listed above. We tried it out and it seems to work; however, please note the other recommended measures as well. All the best! xx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s