Month: April 2014

In a rare move that highlights severity of security hole in popular Internet Explorer, US Computer Emergency Readiness Team and UK counterpart say some IE users may want to “consider employing an alternate browser” till flaw is patched.  Read on …

http://www.cnet.com/news/stop-using-ie-until-bug-is-fixed-says-us/

Note that this issue is particularly urgent for continued users of the “expired” Windows XP.

Now that dust has settled somewhat on the Heartbleed incident, and you must surely have by now changed your passwords — presumably using best practices of unique passwords for each account, “strong” passwords using mixed case, mixed alpha and numerics, no dictionary words, no simple character substitutions, etc.  AND assuming that your site/service provider passes the Heartbleed test or has notified you that they have taken measures to fix the vulnerability — this might be a good time to think about even more safeguards.

Best Practices

Just google for the many, many sources of good information on choosing strong passwords and employing other measures. Here is one of the latest I have seen, this one from NPR.

LastPass

If you are still trying to test the vulnerability of “secure” sites that you use, LastPass has a nice checking tool at https://lastpass.com/heartbleed/ that will identify the actual server software used by the site, if it can. That may not mean too much to everyone, but it is very useful to know if you are in the business of maintaining a server or SSL certificates yourself. And if you are a LastPass (imho, one of the best cloud-based password managers out there) user, LastPass will check your accounts for vulnerability and give you suggestions for action.

Two-Factor Authentication

This is a security approach that we use in our workplace (actually in some cases using multi-factor authentication, a close relative, where appropriate for even more levels of security). Without going into too much technicality, we can think of this approach as a two-step scheme of verification that addresses both the factor of possession (is the user in possession of something unique, such as an ATM card?) and the factor of knowledge (does the user know the PIN number that is associated with, but separate from, the possession factor?).    Almost all banks will use two- or multi-factor authentication, and they should. 

Many sites/service providers give you a two-factor authentication option that first requires that you know and submit a unique username and password combination (this addresses the knowledge factor). To address the possession factor piece of this authentication scheme, a typical implementation would require you to register your cellphone with the host site/service provider. Then, to complete your login successfully, even though you have done the usual username/password input, you would have to fill in a newly-generated, one-time password to gain entry. The special, extra password you need would be generated as a one-time, short-lived (perhaps only 30 seconds or whatever) code appearing as a text/SMS message to your phone (representing the possession factor). 

Don’t have a cellphone? In a variation, Google, for example, would let you use a special application or program (such as the Google Authenticator app) that has been previously installed and registered with your account and generates a new, random passcode for you to use at certain intervals, typically every 30 seconds. (Btw, this scheme goes back many years: when I worked at UCLA, access to certain servers and systems was available only if you first ran an online login application in a “traditional form” that also prompted for a separate, additional password that you would only know by pulling a credit-card-sized device from your pocket — something like the old-school pagers — and use the moving passcode that it would generate and display at 30 second intervals after power-up.)

If you carry a laptop around with you almost everywhere, I would strongly consider using two-factor authentication.

Phishing Scams

This is one to be watchful for.  Heartbleed will provide an exceptional opportunity for the unscrupulous to try to coax your passwords out of you by masquerading as one of your real sites.  Better to be proactive and go to the site(s) in question on your own and change your password that way.  Don’t fall for the trick of sending your password off to somebody who asks for your credentials “to keep you safe” from Heartbleed or anything else unless you are absolutely sure that it is legit and that you are being directed to the site’s real URL/Web address.  If you think you may have been duped this way, browse directly to the site(s) where you have an account and change your password again.

Okay, good luck to us all.  

No doubt you have heard about the Heartbleed security vulnerability, discovered earlier this week by engineers from Google and another security firm, and how it potentially could permit eavesdropping on Internet transmissions thought to be securely encrypted on some two-third’s of the Web’s servers.

Here is a pretty good lay explanation of how Heartbleed works:

OpenSSL Heartbeat (Heartbleed) Vulnerability (CVE-2014-0160) and its High-Level Mechanics from Elastica Inc on Vimeo.

UPDATE:  And maybe an even better illustration here!

As this is a matter basically to be resolved by the sites and service providers themselves — the IT people at my workplace are scrambling to get any appropriate fixes in place, as is surely the rest of the tech world — end users can’t do much about the potential threat until the sites they use have been patched, otherwise the new passwords and critical private data will just continue to be exposed.  (You can do some degree of testing yourself using the form at http://filippo.io/Heartbleed/, for example.) 

NOTE: None  (of the good guys) knows whether this vulnerability has
actually been exploited.  But the enormous potential for havoc indicates
that we should better be safe than sorry.

So my personal approach is to avoid using any sites or service providers (just for those that I have previously set up accounts or provided personal data, and log into with an “https://” protocol, of course) that I am uncertain about, then when I am assured that they have implemented the fixes, change my passwords.  And if I MUST use those sites in the meantime, I am prepared to change my passwords at least daily to hopefully minimize my exposure.

For a more complete and technical rundown, visit http://heartbleed.com.