By now, there’s a good chance you’ve heard about the so-called “Heartbleed” vulnerability recently discovered in the software that is responsible for creating the secure connections between us web users and the sites we interact with.
No? Well here’s a quick re-cap.
Turns out that every time you’ve seen that little yellow lock icon and the
"https://" in your address bar over the last two years, your private and confidential info wasn’t as secure as you’ve been led to believe. Around two years ago, the group that is responsible for updating OpenSSL (the free software that tons of sites use to enable encryption), made a small change to the way that software handles secure connections. A small change with huge consequences. That change not only made it possible for a 3rd party– and I mean any 3rd party– to listen in on your secure session, it also made it possible to decode what was being said and from that info they could glean usernames, passwords and potentially credit card and other data too. Yup, it’s as bad as it sounds.
Worse still, OpenSSL isn’t just installed on a few small websites. By all accounts, it’s been implemented on a third of all secure websites, including some monsters like Yahoo and even a few of Google’s too. Revenue Canada was one of them.
Now I know what you’re thinking: Goddamn it. Yet another threat to my personal info. What’s with these companies that they can’t take security more seriously? And you’re right, this is yet another instance of our personal info being exposed thanks to insufficient measures being taken by the companies we trust.
But before we hop on a plane, pitchforks in hand, to show our displeasure to these groups who opened us up to such a deep invasion of our privacy, let’s take a second and consider a few things.
First, even though this flaw has been a part of OpenSSL for nearly two years, it was only in the last week that security researchers were able to identify it and exploit it (that last part being frighteningly easy to accomplish). But as easy as it was to exploit, it was not easy to find. That means that if you’re concerned about your personal info having been stolen during this period, you can probably relax a little. The nature of the exploit is such that only the information that was transmitted during a small window of time prior to someone “listening in,” would be available to an attacker. So unless we’re talking about a very sophisticated group of thieves with the resources to set up 24-hour “surveillance” of vulnerable sites (something that has a few folks screaming “NSA!!”) statistically it’s not all that likely that your info was taken.
But I realize that’s cold comfort. Especially now that the flaw has been exposed and no doubt every hacker worth their salt will be trying it out. But there’s some good news.
Because the flaw is a fairly “real-time” vulnerability, meaning it can only be exploited within a few moments of a secure transaction taking place, if you stay away from vulnerable sites until they’ve had a chance to seal up the hole, you aren’t increasing the risk of your info being taken (assuming it hasn’t been taken already).
So hold tight, and check your favourite sites for news that they’ve taken the necessary steps. How? Here’s a simple tool that lets you input the URL and get the results.
Once you’re fairly convinced that the site has got the fix in place, go and change your password as soon as possible. I know I said the risk wasn’t high, but why take chances? But here’s the part you’re going to hate: Don’t just change all of you passwords to the same, new password. Use a different one for each site. Yes, it’s a total drag but I have two suggestions to ease the pain.
1) Sign up for and use a password service like LastPass. It costs money and it takes a bit of a change of habit to use, but these services create very strong, unique passwords for each site and you only have to remember one (hopefully very strong) password to access everything.
2) If LastPass isn’t your cup of tea (or you simply distrust all of your passwords being kept in one place no matter how much like Fort Knox it may be protected), create your own password template and use it for each site. Here’s an example: Come up with a base for the password, e.g. IronM@nIsCool3rThanTh0r (yes that’s kind of long, but when it comes to passwords, longer is always better). Now, figure out a two or three character way of identifying the site you’re on. For instance Amazon.ca could be “Ama” or “Amz”. You’ll have to figure out which three characters to use, but it’s not that hard. Then throw these characters into your base like so: IronM@nIsCool3rAmaThanTh0r
The idea here is that even if Amazon were to be compromised, the attacker would have to find your username and password and then go about the process of figuring out which of the characters you changed on all of the other sites. This is difficult stuff, best done by humans instead of machines, and most hackers just don’t care enough to try – they’ll be plenty busy trying out passwords that actually work because they’re the same on every site.
Lastly, wherever possible, turn on two-factor authentication. Yes, it’s another painful step in an already painful security environment but this one really does make it tough on the thieves. You can give your mobile phone number to sites and then when you go to log in, they’ll text you a code to your phone. If the thief doesn’t have your phone, they won’t be getting into that site.