Does the Heartbleed bug mean it’s time to reset your passwords again?
It has not been a great few months for computer security. No sooner had Apple patched a serious online security vulnerability in its iPhone and desktop operating systems, than another huge bug cropped up, this time affecting mainly Linux systems and open source software. By now many of you will have read about Heartbleed, but what is it and what does it mean for Windows users?
Heartbleed in a nutshell
Heartbleed is a bug (a programming error) that affects the Secure Sockets Layer or SSL protocol. SSL is a means of quickly establishing a secure connection between two PCs. When you connect to a secure website, such as online banking, a SSL connection is established to encrypt the connection between you and the computer running the website.
What happened with Heartbleed is that a mistake in the programming code of the OpenSSL software allows a third party to connect to the same website as you and basically steal passwords and authentication tokens. So for instance, if you logged onto a website that had the Heartbleed security problem, an attacker could simply connect from another computer anywhere in the world and grab your password from the website without you or even the website operators ever knowing about it.
Is Windows affected?
Windows itself does not use the OpenSSL code, so is not directly vulnerable. However, this doesn’t mean Windows users were unaffected. Remember for SSL to work, both computers (your PC and the website you are connecting to) need to be using it. Just because your Windows PC doesn’t have the problem, certainly doesn’t mean the computer you are connecting to does not. Furthermore, software that runs on Windows, such as the popular OpenVPN system was affected and should be updated immediately.
Websites claim to have fixed the problem, so why is the media claiming it will be an issue for years?
Properly fixing Heartbleed is actually a huge headache for systems administrators all around the world. It requires patching the vulnerability and changing and updating security certificates with a central authority. Many smaller websites are struggling to respond in a timely fashion. Furthermore, OpenSSL is used on more than just PCs and web servers. A large number of consumer routers are vulnerable, as are other smart gadgets such as heating monitors, webcams etc. Most smartphones were not affected, though a small number of Android devices were. If you are concerned that a device you use is affected, your best course of action is to contact the manufacturers technical support department.
Fortunately, none of the websites in our network were affected and you can safely continue to use them, including our secure checkout and online ordering which is handled through E-junkie, who were not affected by the problem.
Should I change all my passwords?
No, you only need to change passwords for affected sites. This bug is big news, but doesn’t affect every site that uses SSL.
I’m getting really concerned about all these security problems! Should I stop shopping and banking online?
It’s a good question. Like most things in life, it is all about managed risk. If you stopped internet banking and instead conducted all your business in-branch or via an ATM/Cash machine, there are still risks. You could be observed entering your PIN and then have your card stolen. The clerk or cashier you dealt with over the counter or phone could be corrupt. Worse still, if you start to carry larger amounts of cash you could be the victim of a street robbery. British comedian Jasper Carrot once said, “if there’s one thing certain in life, other than death and taxes, it is that someone somewhere will try to con you out of your money”. That was true before the internet came into our lives and remains true no matter how you conduct your business.
OpenSSL is free and “Open source” software, what does that mean? Did the bug occur because the programmer wasn’t paid enough?
No, that’s just silly. Open source software is software where the programming code, also known as the source code, is available for programmers and IT professionals to view. When a computer program is completed, it is translated from a language that programmers can read into an executable file that a computer can run (a process called compiling). Without the original programming code it is often very difficult to see exactly how a computer program works. Companies like Microsoft closely guard their source code as it contains trade secrets, but the open source community takes a different approach and allows anyone to view this original code.
Doesn’t this mean that hackers can peek inside the inner workings of the software and find out nefarious ways to exploit it?
Maybe, but whatever the potential hacker can see, so can the legitimate security researcher. This means that open source software is often more secure since mistakes and bugs are more quickly spotted.
People write free, open source software for their own benefit as well as the benefit of others. When software is open source, it can be audited by security professionals all around the world and you don’t need to take the word of the developers or publishers that it is safe and does what it is intended to do. There’s no way to know, but if OpenSSL had been a closed source (privately developed and programmed) project the Heartbleed bug may have taken even longer to spot.
People make mistakes when writing paid, closed source software too and just because people can’t see the programming code doesn’t mean these mistakes aren’t discovered and potentially exploited by cyber criminals. Microsoft for instance, only just recently patched a severe security vulnerability in Internet Explorer, that if correctly exploited could allow an attacker to take control of a Windows PC.
I am struggling to remember all these passwords I have to keep changing
Bite the bullet and learn to use a password manager. Arguably, this will make you more secure online than any antivirus or firewall could. Password managers store all your passwords in a central vault, either on your own PC (the most secure option) or in the cloud (convenient, but potentially more risky). When you need a password, you simply unlock your password vault. You only need remember the one password to unlock your vault, all the rest are simply stored in the vault. Since computers have much better memories than us humans, this means you can use a long, multi character and unique password for every site you visit.
We have several tutorials for the most popular password managers here.
What about the XKCD “Horse battery staple” method for remembering passwords?
For those not in the know, XKCD is a web comic aimed at a technical audience with lots of geeky humour. One month, they ran a comic on remembering complicated passwords, that suggested remembering pictures as memory clues. The original comic is here.
After this strip was published, it began to circulate around the internet as a solution to remembering longer, more complex passwords. However the method is rather flawed. Even with this technique most users can only remember three or four passwords. Many of us use far more websites than that, so typically users start recycling their passwords again. Hackers know that users re-use passwords and will typically try a password they steal from one insecure website on bigger websites like Facebook or Twitter.
You can certainly use the XKCD method to remember your master password for your password manager, but it is not a solution for most users unless you only use a handful of websites.