♫ if you could hear my heartbleed
you’d hear me scream set me free
if you could feel my heart bleed..♫
Lyrics, music and recorded by the Peppermint Creeps.
The Heartbleed vulnerability has garnered a lot of press lately. It has (understandably) set many on edge and left wondering if they are vulnerable and if so, what should they be doing about it? Our colleague, friend (and past columnist) Laura Calloway, attorney, past ABA TECHSHOW Chair and Director of Service Programs and Practice Management Assistance Program at the Alabama State Bar wrote this piece on Heartbleed and we have reproduced it here with her permission.
I was out of the office last week when the Heartbleed bug burst into the news so, while I’m a little slow getting information posted about it, things seemed to have resolved themselves and I now feel comfortable providing our members with some information and recommendations about how to deal with it.
What is Heartbleed?
Many websites allow users to log in to complete tasks such as viewing and sending web based email, purchasing goods, viewing bank balances, transferring funds, paying bills, or doing legal research or interacting with client information such as calendar items, to-dos or client documents stored in the cloud. In order to keep your information confidential, the websites encrypt it before it’s transferred over the internet, using what’s called a private key. Many of these interactive websites use an open source program called OpenSSL to handle the encryption, and Heartbleed is a flaw in the program that allows an intruder to find the private key and use it to unencrypt the data being transmitted and read it, including usernames, passwords, the contents of email and financial data.
A real world analogy would be that you hid a key to your house in the potted plant next to the front door, but you left it so exposed that anyone coming up on the porch and looking into the plant could see it, take it, and gain access to your house if they wanted to. And like in this real world example, you’d never know that someone had used the key to come into your house unless you caught them inside.
There is no way to be sure at this point whether someone has or has not intercepted your data transmissions while you interacted with a site that uses the software with the flaw.
Does Heartbleed affect me?
If you use interactive websites that allow you to log on to engage in secure transactions, it’s likely that at least some of those websites used the software with the flaw. In addition, some other devices such as internet routers and telephones that use VoIP (voice over internet protocol) rather than the phone company’s copper wires, may also be affected.
The Alabama State Bar’s site uses an older version of OpenSSL, which did not contain the flaw. Thus, none of our users were affected when logging in to our site.
Major sites that were affected include Google and Gmail, Yahoo and Yahoo Mail, Dropbox, Box, Instagram, Pinterest, Tumblr, Etsy, Flickr, Minecraft, Netflix, SoundCloud and YouTube. It appears that Facebook and Pandora may also have been affected. Although Amazon’s sales website was not affected, Amazon Web Services was, meaning that any website operator who uses this hosting service to provide its website has vulnerable users, too. The major banking sites don’t appear to have been affected, but USAA’s site was. You can find a list of possibly affected sites here. To determine whether other websites that you log into are affected, try the Heartbleed Checkerprovided by LastPass.
What should I do now to protect myself?
Because Heartbleed is not a virus that infects your computer but a flaw in the software used to operate a website that you can interact with over the internet, you will need to change your password for every affected website, but you should first make sure that the operator of the website has fixed the flaw in their version of OpenSSL and also renewed the security keys and issued a new SSL certificate. As long as the website still relies on an unpatched version of OpenSSL for encryption or hasn’t renewed the security certificate after patching, the data you are transmitting remains vulnerable and changing your password won’t help. In fact, doing so will expose the current and new password.
The LastPass checker linked to above should give you both an assessment of whether the site was affected and the date the most recent security certificate was issued. If it doesn’t, IT World writer Melanie Pinola has a good article on when to change your passwords and has also posted a spreadsheet listing all the sites she has checked, the date she checked them and her recommendation of whether it’s time to change passwords.
If you use the Google Chrome browser, there is an extension called Chromebleed which, once installed, will alert you if you navigate to a site that is affected and has not been patched, but this can give you a false negative because it won’t tell you whether the security certificate has been reissued.
-Laura A. Calloway, Director of Service Programs and Practice Management Assistance Program, Alabama State Bar.
What is interesting is that Laura has noted that the New York Times has reported that there is a lack of evidence that the heartbleed vulnerability was exploited prior to its announcement, but that attempts are picking up given all the publicity that it has received. Accordingly it is important to take the steps that Laura has indicated to change your password on sites that may have been affected.