Friday, April 11, 2014

Heartbleed: What's up with that? (by Sei Lisa)

(This post has been written by Sei Lisa, my business partner. I'm reproducing her text with permission. Thank you, Sei!)

"Heartbleed - is it serious? Does it affect me"

Short answer: yes, and most likely, respectively.

Long answer: It has the potential to expose passwords to a possible attacker, meaning that accounts that you have in any affected system can be broken into by using them. Many important sites including Google, Facebook, Tumblr, WordPress, Yahoo, Amazon Web Services, and many others, have been affected and if you had an account with them, your password could have been compromised. All of the companies mentioned have already fixed them, which means that if you change your password now, you will be safe. Many other sites where you may have accounts can have been affected, and it's better if you take action.

"But what is it?"

It's a software bug found in a popular library used for HTTPS and other encrypted kinds of communication through the internet, called OpenSSL. The bug facilitates reading some internal memory that should not be readable by anyone, and that contains sensitive data that you have transmitted to a certain site, especially passwords. The attackers can exploit a problem in a protocol that was incorporated into the library two years ago, called Heartbeat, thus the name Heartbleed.

"Is my Second Life account affected?"

No. Linden Lab has issued an official statement:

However, if you have used the same password that you use in SL in a vulnerable site, it's recommended that you change your SL password because it might have been exposed through the other site.

"I doubt anyone has specific interest in me. Why should I take any action?"

An attacker might be able to read passwords and other sensitive information from the last person to access a site. Even if it's not targeted at you specifically, it may be targeted at you generically, meaning, someone could be harvesting accounts for a nefarious purpose, and you could be a random victim.

Additionally, malicious sites could have been retrieving information from you in a similar way.

"OK, and how can I protect myself?"

Changing your password to the affected site before giving anyone the opportunity to break into it, is a good first step. If you have used digital certificates with a particular site, then the problem is more serious for you, because the private key may have been compromised. Search for information on Heartbeat and certificates to know more.

Also, the bug is still out there: many sites continue being unpatched; therefore, don't enter any passwords in sites that are still affected by the Heartbleed exploit. Remember that it only affects sites that use the https protocol to enter the password. If the page you're accessing to enter the password begins with https:// then it's a candidate to check.

"And how do I know if a site is affected?"

If you use Chrome or Chromium, you can install an app that checks whether the site you're opening is vulnerable:

If you use Firefox, there is a similar one: but it is not officially endorsed by Mozilla and it uses an external checking service.

In other cases, there are still some options. You can use this tool to check if a site is vulnerable to this exploit or not: or this one:

If you can run programs written in Python you can also use this tool:

No comments:

Post a Comment