HeartBleed: What Does This Cyber Vulnerability Mean To You?
By Robert C. Hembrook - Published, April 11, 2014
Recent news articles have discussed a newly discovered cybersecurity vulnerability given the nickname "Heartbleed." Heartbleed involves the Secure Sockets Layer (SSL), which enables secure transactions across the World Wide Web (e.g., https sites). Without SSL, everything you send over the Internet is sent in clear text, and can be read by anyone on your network. SSL helps encrypt data so that only the sender and receiver can see/use it.
What is Heartbleed?
Heartbleed is a vulnerability in the encryption code of one brand of SSL software, called OpenSSL. This vulnerability takes advantage of data stored on servers and not consumer devices. It is not a virus that can be mitigated by consumer security software. OpenSSL is not used just in web transactions, but also in other related areas, such as email, Virtual Private Networks, chat, and for router and server activity. Heartbleed does not give attackers direct access to your personal information, but it lets them grab "chunks" of memory. Doing this repeatedly, then reassembling the memory could conceivably give the attacker a file that has your login, password, encryption keys and other information.
The OpenSSL flaw that enabled Heartbleed has been repaired by a patch available in OpenSSL version 1.0.1g. The DoD and companies around the world are quickly upgrading their systems to this latest version of OpenSSL to patch the vulnerability.
What Should You Do?
While our DoD networks are protected by CAC-PKI login, and commercially written SSL software has not proven to be vulnerable to this attack, the possibility exists that any government or non-government website that uses SSL might have been compromised. It is the responsibility of Internet companies/organizations to update their servers to deal with Heartbleed. However, the best approach is to assume you also need to take some action.
- You need to know if the websites you log in to have been affected by Heartbleed. Those organizations should be contacting you if they have, but there are sources you can check on your own (searching on "Heartbleed" will provide options).
Though no problems have been reported, it wouldn't hurt to keep an eye on sensitive online accounts (especially financial) for any suspicious activity.
- Change your passwords for major accounts — email, banking and social media logins — on sites that were affected by Heartbleed but patched/mitigated the problem. However, if the site or service hasn't patched the flaw yet, there is no point in changing your password. Instead, ask the company when it expects to fix the Heartbleed bug.
- Once you are ready to change your passwords, there are a few general rules to follow:
- Good passwords are long (more than 8 characters) and complex, using UPPER CASE as well as lower case letters, numbers (1,2,3…) and special characters (!@#$...).
- Choose a different password for each account. If you use the same password across many sites and your password gets compromised from an unpatched site, then the attackers can get into your other sites as well.
- Passwords should be changed regularly.
- Protect your passwords like you would your ID card. Don’t keep your passwords in an unprotected file on your computer. You can write them on a piece of paper, as long as you don’t leave it in your workspaces where others can find them.
These rules for passwords are applicable even without the cybersecurity dangers that crop up like Heartbleed. The ability and intent of hackers to infiltrate systems has only increased. The best defense is a good offense, which means being proactive in keeping all of your professional and personal data secure.