Heartbleed bug makes online accounts vulnerable

Date Published: 
April 18, 2014

Coastal Point illustration • Shaun M. LambertCoastal Point illustration • Shaun M. LambertHave you changed your passwords this week? If you haven’t, you may want to consider doing just that, after the Heartbleed bug impacted an estimated two-thirds of the world’s websites this week, potentially exposing users to having their passwords and other information stolen by those seeking to exploit the flaw in the open-source OpenSSL protocol used by a vast number of sites.

Most Internet users have by now learned to recognize the padlock symbol and https:// address that are used to indicate that a website’s communications with their web browser is secure, encrypted and not subject to being easily intercepted by a hacker. We rely on those indicators to know we can safely do our banking online, buy items and services online with our credit cards and be assured that our personal information isn’t readily available to identity thieves.

So, what happens when those symbols become useless or, worse — deceptively indicating secure communications when, in reality, our data is available to anyone with enough knowledge to exploit a flaw in a bit of code or create a look-alike website?

The answer is that the Internet panics and the folks running these websites scramble to patch the hole, secure user accounts and assure them that their information hasn’t been abused.

And if you’re not a tech-savvy person and you still heard about the Heartbleed bug this week, that’s a measure of how widespread and potentially serious this situation was. It will have impacted a significant number of Internet users to some degree, and the more websites you use, the more likely it is that you needed, or still need, to take action to protect yourself.

So, did you? Did you know what to do and when to do it? Or maybe you hadn’t heard about Heartbleed until just now, and you’re wondering whether you need to worry.

At its most basic level, Heartbleed is a flaw in the code many websites used to ensure you were secure. It has reportedly been around for years, but only recently identified publicly, leading to a rush to patch security on websites using OpenSSL and also likely a rush to take advantage of the bug before those patches could be put in place.

Bug makes secure sites vulnerable

What could Heartbleed do? Well, the first thing it could do is allow someone to access the traffic on a formerly secure website — or even impersonate that website — so that they can glean things such as your username and password.

And we all know that someone having access to your username and password could potentially open you up to having stored credit card information stolen, your personal information obtained by identity thieves or even make it easier for someone to take control of your e-mail or bank accounts.

The good news for those doing online banking is that the vast bulk of financial institutions don’t use OpenSSL as the basis for their secure website communications, so they weren’t and aren’t vulnerable to Heartbleed.

American Express, Bank of America, Capital One, Citigroup, E*Trade, PNC and others all assured tech blog Mashable (http://mashable.com/2014/04/09/
heartbleed-bug-websites-affected/) that they either specifically don’t use OpenSSL for website encryption or that they did not believe their customers’ information was ever compromised, without specifying whether OpenSSL was in use.

Among major government, tax-related and finance sites, only USAA told Mashable that they’d needed to patch their security, and they said they’d done it prior to the Heartbleed bug becoming widely known.

On the other hand, the Internet leviathan that is Google had its systems impacted, which means that those using Gmail addresses, signing in to an account on YouTube, signing in to Google for searches or saved links, or buying apps for Android devices in the Google Play store were vulnerable to having their information stolen.

Google told Mashable it had patched its major services early on, so users didn’t need to change their passwords. However, Mashable advised — rightly — “better safe than sorry,” due to the previous period of vulnerability, and that users should go ahead and change their Google passwords.

I should also note that there have been some reports of vulnerability to Heartbleed in one current version of Google’s Android operating system: 4.1.1. Android devices running 4.1.1 or custom versions of 4.1.1 need to be updated as soon as possible to a patched version of the OS to ensure data on your phone or tablet and traffic to and from the devices remain secure.

Facebook — which many Internet users use for a centralized sign-in on multiple websites — also told Mashable that it had patched its servers eavrly on and didn’t believe they had been compromised. They nonetheless advised users to ensure they were using a unique password for Facebook.

Unique passwords aren’t optional

That’s a key point here for those seeking to ensure they haven’t been compromised by Heartbleed and that they won’t be compromised by similar problems in the future: Always use a unique password for every site and account you have. Why? Because if someone manages to get hold of your password from one site, they’re likely to try to use it on another site, and if you’re using the same password, you’ve handed them the key to your private information.

Even if you’re using similar passwords — such as a master password altered for each individual website — it’s not terribly difficult anymore for hackers to discover the pattern you’re using, and then they can simply adapt the pattern to the other sites you use, unlocking all of your online accounts.

What this means is, if you use the same password for your Pinterest account, for example, and your Amazon.com account, even though Amazon.com wasn’t impacted by Heartbleed, the vulnerability of your Pinterest account information could have given a thief a way to get into your Amazon account and the personal and credit card information on file there — potentially even to order items charged to your credit card.

Now, Pinterest also told Mashable that it didn’t have any reason to believe its accounts had been impacted, but it is possible some were and that it wasn’t able to track such activity. Pinterest, too, advised users to change their passwords and even sent out password reset emails asking them to do just that.

And that brings us to another key point in this Heartbleed fallout: If you did need to change your password, it wasn’t a good idea in every case to do so immediately after hearing about the vulnerability. Only after the individual servers were patched was it safe to create a new password, since sites that were still vulnerable when people changed their passwords would be vulnerable to having those new passwords stolen, as well. (If you changed passwords too soon, you’ll need to do it again.)

This meant that you had to: (a) Find out if each website used OpenSSL, (b) Determine whether they’d already patched the flaw, and, if so, (c) Change to a unique and hard-to-guess password. And even if you thought a given site wasn’t vulnerable to Heartbleed, you had to change your password on any other site where you’d used the same password as on a vulnerable site or where you weren’t sure whether they’d been vulnerable or not. That’s a lot of websites and a lot of new passwords.

Many popular websites affected

Who was impacted? Well, Mashable updated its list of major sites through the morning of April 12, so that’s a place to start. Their chart notes which sites were vulnerable, whether they’d been patched and whether users should change their password. (When in doubt, the answer is always “Yes.”)

So, along with Google, Pinterest and Facebook, users with accounts for Instagram, Tumblr, Yahoo, Etsy, GoDaddy, Flickr, Minecraft, Netflix, Soundcloud, USAA, Box, Dropbox, GitHub, IFTTT, Wikipedia and Wunderlist should all be changing their passwords, if they haven’t already.

Users of Wordpress and Twitter are going to have to make a judgment call (better safe than sorry), as both services told Mashable that patches had been made but didn’t acknowledge that they’d been vulnerable in the first place.

But what about smaller sites, such as your local bank or that e-retailer you buy your favorite socks from twice a year? You’re still going to have to check those one by one. Many sites have put up notices this week stating whether or not they were vulnerable (locally, Taylor Bank specified that it wasn’t) and whether users need to change their passwords as a result.

Alternatively, the free tool at filippo.io/Heartbleed/ will let you plug in a website address and will then scan it for vulnerability. For users of Google’s Chrome browser, there’s also a browser extension you can install, called Chromebleed, that will use the filippo.io tool to automatically check for vulnerability in sites that you visit. (Browser extensions can also be used for nefarious purposes, but Chromebleed has been vetted by a number of users this week and should be safe to install.)

Bottom line: When in doubt, change your password, especially if you used any one password on more than one website. Internet security experts will tell you to change your passwords regularly anyway, so it’s best to get used to the process and plan to change all of your passwords on a regular basis.

Creating a secure password

That brings us to the importance of creating unique passwords for each site and doing so in a way that doesn’t leave you vulnerable to having them stolen through social engineering (using information about you that’s available online, such as your favorite sports team or mother’s maiden name — Can you believe we ever used this as a security measure? — to guess what they might be), random guessing or dictionary-based hacking.

The only way to have a truly secure password is to use a random selection of letters, numbers and symbols. But how do you remember such a password? The answer is: You don’t. Heartbleed is a wake-up call for everyone who was still trying to use passwords they can easily remember. Hacking software has gotten sophisticated enough now that combinations of dictionary words with numbers and symbols aren’t secure enough anymore to really discourage a hacker.

You may be able to get away with using a shorthand version of a memorable phrase, such as using the first or last (or second) letters of words in a favorite poem or saying, but you should be looking for your passwords to be at least 12 characters long (preferably 18 or more), and use letters and numbers, both uppercase and lowercase letters, and symbols — and in ways that don’t form words and don’t use dates that could be guessed and don’t simply replace certain letters with symbols.

Yes, that eliminates a lot of what many would formerly have considered secure-but-memorable passwords. But until all Internet security is biometric, using fingerprints, facial recognition or eye scans, learning how to create a secure password is a skill Internet users will need to acquire.

There are some shortcuts, however.

Making secure passwords work

Probably the best way to do it is to use a password generating and storage service, app or device. With these methods, you generally create one very secure but very memorable password and use that to access the other passwords stored inside. Ideally, you allow the service or device to create all of your new passwords, using truly random combinations that even you wouldn’t be able to guess or remember.

Look for services such as LastPass, 1Password and Apple’s Keychain. Keychain is part of the newer Apple operating systems, at no additional cost, while LastPass offers both a free service and a “premium” service with extra options, a free mobile app and no ads, for $12 per year.

You’ll pay per-platform for 1Password, with separate and bundled options for desktop and mobile devices, at $25 for the current desktop version and $9 (on sale from $18 as of early this week) for iOS and a free Android reader app. With 1Password, there’s no annual fee, but you’ll have to pay for major updates to future versions.

Creating those randomized passwords doesn’t necessarily mean a lot of typing of passwords from one screen to another, as such services often include a secure browser or browser plug-in that will log in to a website for you once you’ve used your master password to sign in.

Many laptop computers also have an option to include a fingerprint scanner that can be used in place of your master password, so you just scan your finger whenever you’re signing in to a saved website. For those who can’t be sure they’ll even remember a single master password, that could be an answer.

If you’re using a password service or device, you’re no longer burdened with remembering more than one password, and that makes it easy to follow the other key advice for creating secure passwords: Don’t use the same password on more than one site.

Again, all it takes is one password from one site to start unraveling all of your online accounts, especially if they’re using interconnected sign-ins. If someone gets your Facebook password from a virus a co-worker unknowingly installed on your computer, they’ll be able to sign in as you on numerous websites.

If they get your Twitter password, they could take over your Pinterest account and start posting spam or worse. And if that Twitter account is a business account, embarrassing posts you didn’t make could have negative impacts on your business or that of your employers for a long time to come.

Getting access to even one account could provide someone with enough information about you to guess your Amazon password or to convince a “helpful” Apple employee that they’re you, letting them then change your password and other information, permanently locking you out of your account and allowing them to wipe your connected devices.

And someone getting access to your email account could not only mean viruses sent out in your name to all your friends and family, making them vulnerable, but could let hackers steal your email identity and then use it to prevent you from resetting your other passwords, allowing them to steal your entire online identity or even ransom your accounts.

All of this could be enough to make you want to stop using the Internet entirely, but the reality is that such widespread incidents involving security flaws are rare. By taking measures now to ensure your existing accounts are secured with unique, un-guessable passwords and continuing that care into the future, you’re protecting what is likely to be an increasingly digital life and all of what that means for you in your real, off-line life.