By now, there’s a good chance you’ve heard about the so-called “Heartbleed” vulnerability recently discovered in the software that is responsible for creating the secure connections between us web users and the sites we interact with.
No? Well here’s a quick re-cap.
Turns out that every time you’ve seen that little yellow lock icon and the
"https://" in your address bar over the last two years, your private and confidential info wasn’t as secure as you’ve been led to believe. Around two years ago, the group that is responsible for updating OpenSSL (the free software that tons of sites use to enable encryption), made a small change to the way that software handles secure connections. A small change with huge consequences. That change not only made it possible for a 3rd party– and I mean any 3rd party– to listen in on your secure session, it also made it possible to decode what was being said and from that info they could glean usernames, passwords and potentially credit card and other data too. Yup, it’s as bad as it sounds.
Worse still, OpenSSL isn’t just installed on a few small websites. By all accounts, it’s been implemented on a third of all secure websites, including some monsters like Yahoo and even a few of Google’s too. Revenue Canada was one of them.
Now I know what you’re thinking: Goddamn it. Yet another threat to my personal info. What’s with these companies that they can’t take security more seriously? And you’re right, this is yet another instance of our personal info being exposed thanks to insufficient measures being taken by the companies we trust.
But before we hop on a plane, pitchforks in hand, to show our displeasure to these groups who opened us up to such a deep invasion of our privacy, let’s take a second and consider a few things.
First, even though this flaw has been a part of OpenSSL for nearly two years, it was only in the last week that security researchers were able to identify it and exploit it (that last part being frighteningly easy to accomplish). But as easy as it was to exploit, it was not easy to find. That means that if you’re concerned about your personal info having been stolen during this period, you can probably relax a little. The nature of the exploit is such that only the information that was transmitted during a small window of time prior to someone “listening in,” would be available to an attacker. So unless we’re talking about a very sophisticated group of thieves with the resources to set up 24-hour “surveillance” of vulnerable sites (something that has a few folks screaming “NSA!!”) statistically it’s not all that likely that your info was taken.
But I realize that’s cold comfort. Especially now that the flaw has been exposed and no doubt every hacker worth their salt will be trying it out. But there’s some good news.
Because the flaw is a fairly “real-time” vulnerability, meaning it can only be exploited within a few moments of a secure transaction taking place, if you stay away from vulnerable sites until they’ve had a chance to seal up the hole, you aren’t increasing the risk of your info being taken (assuming it hasn’t been taken already).
So hold tight, and check your favourite sites for news that they’ve taken the necessary steps. How? Here’s a simple tool that lets you input the URL and get the results.
Once you’re fairly convinced that the site has got the fix in place, go and change your password as soon as possible. I know I said the risk wasn’t high, but why take chances? But here’s the part you’re going to hate: Don’t just change all of you passwords to the same, new password. Use a different one for each site. Yes, it’s a total drag but I have two suggestions to ease the pain.
1) Sign up for and use a password service like LastPass. It costs money and it takes a bit of a change of habit to use, but these services create very strong, unique passwords for each site and you only have to remember one (hopefully very strong) password to access everything.
2) If LastPass isn’t your cup of tea (or you simply distrust all of your passwords being kept in one place no matter how much like Fort Knox it may be protected), create your own password template and use it for each site. Here’s an example: Come up with a base for the password, e.g. IronM@nIsCool3rThanTh0r (yes that’s kind of long, but when it comes to passwords, longer is always better). Now, figure out a two or three character way of identifying the site you’re on. For instance Amazon.ca could be “Ama” or “Amz”. You’ll have to figure out which three characters to use, but it’s not that hard. Then throw these characters into your base like so: IronM@nIsCool3rAmaThanTh0r
The idea here is that even if Amazon were to be compromised, the attacker would have to find your username and password and then go about the process of figuring out which of the characters you changed on all of the other sites. This is difficult stuff, best done by humans instead of machines, and most hackers just don’t care enough to try – they’ll be plenty busy trying out passwords that actually work because they’re the same on every site.
Lastly, wherever possible, turn on two-factor authentication. Yes, it’s another painful step in an already painful security environment but this one really does make it tough on the thieves. You can give your mobile phone number to sites and then when you go to log in, they’ll text you a code to your phone. If the thief doesn’t have your phone, they won’t be getting into that site.
It certainly makes for a good headline doesn’t it?
Even though that’s not what Business Week used as the lead for their article about password security last month, it might as well have been.
The article lists off a bunch of password combinations including length (from 6 to 9 characters) and complexity (with or without upper/lower case and with or without special characters) and then gave the approximate times it would take a dedicated hacker to crack those passwords.
The first combination, 6 all-lowercase characters with no numbers, change of case or special characters, can supposedly be guessed in as little as 10 minutes. That claim is designed to scare you as well it should.
The last combination, 9 mixed-case characters with numbers and special characters will take a mind-blowing 44,530 years to crack.
Okay then, case closed right? Everyone just needs to use this combination for their password – or even the slightly less secure 8 character version which will still take 463 years to break – and the hackers will be out of business and we’ll all sleep peacefully knowing our precious Facebook status updates can’t be hijacked by some jerk.
While I would love it if things were that simple, I was skeptical after reading the article and decided to reach out to a security expert for a quick sanity check.
Marc Fossi, Executive Editor, Internet Security Threat Report over at Symantec spoke to me by phone and helped shed some light on the whole password security issue.
The bottom line for Fossi? “There’s no single silver bullet for security.”
“Security is a process,” he says and by that he means that if you’re taking comfort in the fact that you have one of those 44,530 year passwords, you should be thinking bigger-picture.
The fact is, most successful password hacks aren’t hacks at all. They’re the result of malware infecting your computer through a variety of means – perhaps you opened an infected email attachment, or loaded a file of a USB key that had been previously altered or you grabbed a BitTorrent file that had been seeded as a honey-pot. The list, sadly, is long and varied. However it happens, it’s this virus sitting silently inside your PC that is the real thief and threat. It can track every keystroke you make on your keyboard and hand-deliver it to the waiting hacker who simply has to read through the resulting text to find exactly what s/he’s looking for.
And thanks to our own lazy habit of password re-use, which Fossi flags as a serious problem, that one password maybe the only one the hacker needs to gain access to your financial institution(s), email or corporate intranet.
Suddenly that crazy 9 character string of nonsense doesn’t seem so safe does it?
In case you haven’t already guessed, and there really should be no surprise here – Fossi suggests using an security product such as Symantec’s Norton 360. There are other options as well ranging from the free AVG and Avast! to monthly paid options from your ISP.
But even the combination of strong passwords and a comprehensive security suite can’t provide 100% protection. Especially in our wireless world of Wi-Fi. Unlike with many password-protected websites which often limit the number of incorrect login attempts, thus keeping the brute-force method somewhat at bay, there is no such protection on most home Wi-Fi routers, leaving them open to a hacker in a car with a powerful laptop. Fossi notes that even the outrageously long times cited in the Business Week article could be cut in half or much more with today’s modern quad-core processors. Worse yet, if the hacker has access to a network of cloud-based computers, the total number of CPUs that could be brought to bear on the cracking of your password could number in the hundreds. The article simply doesn’t say what machinery was used to come up with those numbers.
So while there may not be a “silver bullet”, there are still some best practices when it comes to keeping your data from prying eyes:
– Definitely use a “strong” password of at least 8 mixed-case letters with numbers and special characters. It may not provide complete protection but it is far better than a simpler password.
– Having trouble remembering that combination? Use what Fossi calls a “pass-phrase” instead of a password: Take the first letters from the words in an eight-word phrase that is easy for you to remember, for instance “Honey Can You Please Take Out The Trash” and convert it into: HcYpT0T# (note the “O” from “Out” is now a zero and “Trash” has become the # sign).
– Use anti-virus software, keep it up to date, and make sure you scan ALL files and attachments
– If you have Wi-Fi at home, make sure to use WPA2 as the security protocol – it is FAR more secure that the older WEP and WPA protocols
– Change your passwords regularly. Even if a hacker manages to get one of your passwords, it may be days, weeks or months before they get around to trying it – hey they deal in volume after all – by that time you will have moved on and they’ll be locked out.
Readers, do you have any suggestions to add to this list?