When heartbleed leads to heartache, what’s a person to do?
By now, there’s a good chance you’ve heard about the so-called “Heartbleed” vulnerability recently discovered in the software that is responsible for creating the secure connections between us web users and the sites we interact with.
No? Well here’s a quick re-cap.
Turns out that every time you’ve seen that little yellow lock icon and the
"https://" in your address bar over the last two years, your private and confidential info wasn’t as secure as you’ve been led to believe. Around two years ago, the group that is responsible for updating OpenSSL (the free software that tons of sites use to enable encryption), made a small change to the way that software handles secure connections. A small change with huge consequences. That change not only made it possible for a 3rd party– and I mean any 3rd party– to listen in on your secure session, it also made it possible to decode what was being said and from that info they could glean usernames, passwords and potentially credit card and other data too. Yup, it’s as bad as it sounds.
Worse still, OpenSSL isn’t just installed on a few small websites. By all accounts, it’s been implemented on a third of all secure websites, including some monsters like Yahoo and even a few of Google’s too. Revenue Canada was one of them.
Now I know what you’re thinking: Goddamn it. Yet another threat to my personal info. What’s with these companies that they can’t take security more seriously? And you’re right, this is yet another instance of our personal info being exposed thanks to insufficient measures being taken by the companies we trust.
But before we hop on a plane, pitchforks in hand, to show our displeasure to these groups who opened us up to such a deep invasion of our privacy, let’s take a second and consider a few things.
First, even though this flaw has been a part of OpenSSL for nearly two years, it was only in the last week that security researchers were able to identify it and exploit it (that last part being frighteningly easy to accomplish). But as easy as it was to exploit, it was not easy to find. That means that if you’re concerned about your personal info having been stolen during this period, you can probably relax a little. The nature of the exploit is such that only the information that was transmitted during a small window of time prior to someone “listening in,” would be available to an attacker. So unless we’re talking about a very sophisticated group of thieves with the resources to set up 24-hour “surveillance” of vulnerable sites (something that has a few folks screaming “NSA!!”) statistically it’s not all that likely that your info was taken.
But I realize that’s cold comfort. Especially now that the flaw has been exposed and no doubt every hacker worth their salt will be trying it out. But there’s some good news.
Because the flaw is a fairly “real-time” vulnerability, meaning it can only be exploited within a few moments of a secure transaction taking place, if you stay away from vulnerable sites until they’ve had a chance to seal up the hole, you aren’t increasing the risk of your info being taken (assuming it hasn’t been taken already).
So hold tight, and check your favourite sites for news that they’ve taken the necessary steps. How? Here’s a simple tool that lets you input the URL and get the results.
Once you’re fairly convinced that the site has got the fix in place, go and change your password as soon as possible. I know I said the risk wasn’t high, but why take chances? But here’s the part you’re going to hate: Don’t just change all of you passwords to the same, new password. Use a different one for each site. Yes, it’s a total drag but I have two suggestions to ease the pain.
1) Sign up for and use a password service like LastPass. It costs money and it takes a bit of a change of habit to use, but these services create very strong, unique passwords for each site and you only have to remember one (hopefully very strong) password to access everything.
2) If LastPass isn’t your cup of tea (or you simply distrust all of your passwords being kept in one place no matter how much like Fort Knox it may be protected), create your own password template and use it for each site. Here’s an example: Come up with a base for the password, e.g. IronM@nIsCool3rThanTh0r (yes that’s kind of long, but when it comes to passwords, longer is always better). Now, figure out a two or three character way of identifying the site you’re on. For instance Amazon.ca could be “Ama” or “Amz”. You’ll have to figure out which three characters to use, but it’s not that hard. Then throw these characters into your base like so: IronM@nIsCool3rAmaThanTh0r
The idea here is that even if Amazon were to be compromised, the attacker would have to find your username and password and then go about the process of figuring out which of the characters you changed on all of the other sites. This is difficult stuff, best done by humans instead of machines, and most hackers just don’t care enough to try – they’ll be plenty busy trying out passwords that actually work because they’re the same on every site.
Lastly, wherever possible, turn on two-factor authentication. Yes, it’s another painful step in an already painful security environment but this one really does make it tough on the thieves. You can give your mobile phone number to sites and then when you go to log in, they’ll text you a code to your phone. If the thief doesn’t have your phone, they won’t be getting into that site.
Hackers can crack your password in 10 minutes
It certainly makes for a good headline doesn’t it?
Even though that’s not what Business Week used as the lead for their article about password security last month, it might as well have been.
The article lists off a bunch of password combinations including length (from 6 to 9 characters) and complexity (with or without upper/lower case and with or without special characters) and then gave the approximate times it would take a dedicated hacker to crack those passwords.
The first combination, 6 all-lowercase characters with no numbers, change of case or special characters, can supposedly be guessed in as little as 10 minutes. That claim is designed to scare you as well it should.
The last combination, 9 mixed-case characters with numbers and special characters will take a mind-blowing 44,530 years to crack.
Okay then, case closed right? Everyone just needs to use this combination for their password – or even the slightly less secure 8 character version which will still take 463 years to break – and the hackers will be out of business and we’ll all sleep peacefully knowing our precious Facebook status updates can’t be hijacked by some jerk.
While I would love it if things were that simple, I was skeptical after reading the article and decided to reach out to a security expert for a quick sanity check.
Marc Fossi, Executive Editor, Internet Security Threat Report over at Symantec spoke to me by phone and helped shed some light on the whole password security issue.
The bottom line for Fossi? “There’s no single silver bullet for security.”
“Security is a process,” he says and by that he means that if you’re taking comfort in the fact that you have one of those 44,530 year passwords, you should be thinking bigger-picture.
The fact is, most successful password hacks aren’t hacks at all. They’re the result of malware infecting your computer through a variety of means – perhaps you opened an infected email attachment, or loaded a file of a USB key that had been previously altered or you grabbed a BitTorrent file that had been seeded as a honey-pot. The list, sadly, is long and varied. However it happens, it’s this virus sitting silently inside your PC that is the real thief and threat. It can track every keystroke you make on your keyboard and hand-deliver it to the waiting hacker who simply has to read through the resulting text to find exactly what s/he’s looking for.
And thanks to our own lazy habit of password re-use, which Fossi flags as a serious problem, that one password maybe the only one the hacker needs to gain access to your financial institution(s), email or corporate intranet.
Suddenly that crazy 9 character string of nonsense doesn’t seem so safe does it?
In case you haven’t already guessed, and there really should be no surprise here – Fossi suggests using an security product such as Symantec’s Norton 360. There are other options as well ranging from the free AVG and Avast! to monthly paid options from your ISP.
But even the combination of strong passwords and a comprehensive security suite can’t provide 100% protection. Especially in our wireless world of Wi-Fi. Unlike with many password-protected websites which often limit the number of incorrect login attempts, thus keeping the brute-force method somewhat at bay, there is no such protection on most home Wi-Fi routers, leaving them open to a hacker in a car with a powerful laptop. Fossi notes that even the outrageously long times cited in the Business Week article could be cut in half or much more with today’s modern quad-core processors. Worse yet, if the hacker has access to a network of cloud-based computers, the total number of CPUs that could be brought to bear on the cracking of your password could number in the hundreds. The article simply doesn’t say what machinery was used to come up with those numbers.
So while there may not be a “silver bullet”, there are still some best practices when it comes to keeping your data from prying eyes:
– Definitely use a “strong” password of at least 8 mixed-case letters with numbers and special characters. It may not provide complete protection but it is far better than a simpler password.
– Having trouble remembering that combination? Use what Fossi calls a “pass-phrase” instead of a password: Take the first letters from the words in an eight-word phrase that is easy for you to remember, for instance “Honey Can You Please Take Out The Trash” and convert it into: HcYpT0T# (note the “O” from “Out” is now a zero and “Trash” has become the # sign).
– Use anti-virus software, keep it up to date, and make sure you scan ALL files and attachments
– If you have Wi-Fi at home, make sure to use WPA2 as the security protocol – it is FAR more secure that the older WEP and WPA protocols
– Change your passwords regularly. Even if a hacker manages to get one of your passwords, it may be days, weeks or months before they get around to trying it – hey they deal in volume after all – by that time you will have moved on and they’ll be locked out.
Readers, do you have any suggestions to add to this list?
Stuxnet removal tool is malware too
W32 Stuxnet is a virus that first appeared earlier this year and has gained a fair share of infamy and media attention for its alleged attacks on industrial installations, the most publicized being a nuclear power plant in Iran.
The virus works by first infecting a computer running the Windows operating system. Programmers in commercial environments – say an assembly line – use these computers to upload code to devices known as Programmable Logic Controllers or PLCs. The problem comes when the Stuxnet virus hijacks this uploaded code and from then on resides in the PLC itself where it can alter the function of these devices.
Unfortunately, we’re not talking about a robot making incorrect welds on a Ford F-150, though that would be bad. Much worse is the theoretical threat that Symantec has outlinedin one of their blogs about Stuxnet. They detail an even that took place when malicious code infected the PLC governing the operation of a pipeline:
Code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline’s pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.
Though this incident was not caused by Stuxnet, Symantec is pointing out the way in which it could be used, which is why Stuxnet has been labeled by some as the first “cyber super weapon“.
Needless to say, there are a lot of panicky people out there who anxious to rid themselves of this virus, even if they aren’t in the business of programming PLCs. But Symantec has a warning for anyone out there looking for a quick fix: the cure may be worse than the virus.
Apparently there is a tool circulating the web right now – mainly in forums that discuss the Stuxnet virus – that promises to get rid of Stuxnet for you, and even claims to be from Microsoft. Neither could be further from the truth.
Well, almost. The supposedly helpful “tool” will rid your PC of Stuxnet if you have it, but it doesn’t discriminate one type of file from another and within a few minutes of running the program, your entire C drive is wiped clean. Stuxnet is gone. And so is everything else.
Typically Microsoft does not issue removal tools for individual security threats like Stuxnet, instead relying on a single Malicious Software Removal Tool, which is updated regularly to identify and remove a whole list of nasty bugs, including Stuxnet.
If you think you are already infected, running this tool should take care of it for you. If you haven’t been infected, but are concerned that you might be vulnerable, here are some suggestions:
- Install and then regularly update an anti-virus tool such as Norton, Bell Internet Security or the freely available AVG.
- Turn on Microsoft Windows Update and make sure you install all recommended updates. The most recent update, released on Tuesday, fixes the hole in Windows that allows Stuxnet to do its damage.
- Surf with caution: Avoid links in emails from people you don’t know. Be wary when when using file sharing services. Never open attachments that you weren’t expecting.
Experts warn of Oscars-related phishing threats
This weekend’s Academy Awards ceremonies promises to end weeks of speculation surrounding which of the nominated films will walk away with Hollywood’s most coveted prize.
But be warned, as you watch the evening unfold on TV as well as online, there are plenty of party-poopers out there who will be trying to spoil your evening – and we don’t mean by giving away the ending.
According to Symantec, the creators of the Norton family of security products, plenty of malicious websites have already been created and are appearing in the search results related to potential Oscar-winners.
How bad is it? Symantec claims “Out of the top 100 search results related to the Oscar nomination announcements, more than 42% contained potentially malicious content.”
That’s a lot of risky sites!
But it seems that the cybercriminals have been deliberate in their choice of which actors and films to use as bait for unsuspecting web-surfers. Of all the Oscar-related searches, it turns out that George Clooney has the most malicious results of any nominated actor, Meryl Streep of any nominated actress and the movie “Nine” of any nominated movies.
While the choice of Clooney and Streep aren’t surprising as they appear to be the front-runners in their respective categories, “Nine” is a more curious choice given that the big contest amongst movies is between James Cameron’s “Avatar” and his ex-wife Kathryn Bigelow’s “The Hurt Locker.”
Whatever the motivation, suffice it to say you should use care when checking out sites that claim to have the latest information on these and other Oscar topics.
An up-to-date security package might not be a bad idea either :-)