The Heart Bleed Security Bug
This week it has emerged that a major security flaw at the heart of the internet may have been exposing users’ personal information and passwords to hackers for the past two years. It is not known how widely the bug has been exploited, if at all, but what is clear is that it is one of the biggest security issues to have faced the internet to date. Security expert Brue Schneier described it as “catastrophic”. “On the scale of one to 10, this is an 11.”
The BBC website offers what they describe as a guide to ‘everything you need to know about Heartbleed’.
Here UK Business News copies a part of the BBC article describing the basis of the threat and the need to consider updating your passwords.
The bug exists in a piece of open source software called OpenSSL which is designed to encrypt communications between a user’s computer and a web server, a sort of secret handshake at the beginning of a secure conversation.
It was dubbed Heartbleed because it affects an extension to SSL (Secure Sockets Layer) which engineers dubbed Heartbeat. It is one of the most widely used encryption tools on the internet, believed to be deployed by roughly two-thirds of all websites. If you see a little padlock symbol in your browser then it is likely that you are using SSL.
Half a million sites are thought to have been affected.
So do you need to change your Passwords?
Some security experts are saying that it would be prudent to do so although there is a degree of confusion as to when and if this needs to be done. Many of the large technology firms including Facebook and Google have patched the vulnerability.
Confusingly though Google spokeswoman Dorothy Chou specifically said: “Google users do not need to change their passwords.” A source at the firm told the BBC that it patched the vulnerability ahead of the exploit being made public and did not believe that it had been widely used by hackers.
Some point out that there will be plenty of smaller sites that haven’t yet dealt with the issue and with these a password reset could do more harm than good, revealing both old and new passwords to any would-be attacker.
But now the bug is widely known even smaller sites will issue patches soon so most people should probably start thinking about resetting their passwords.
“Some time over the next 48 hours would seem like sensible timing,” the University of Surrey’s computer scientist Prof Alan Woodward told the BBC.
Mikko Hypponen of security firm F-Secure issued similar advice: “Take care of the passwords that are very important to you. Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely.”
How do I make sure my password is robust?
The exploit was not related to weak passwords but now there are calls for a mass reset of existing ones, many are reiterating the need to make sure they are as secure as possible.
People should regularly change their passwords, said Prof Woodward, and they need to make sure that they choose something that does not relate to themselves, such as a pet’s name. Words that don’t appear in a dictionary are preferable as is a mixture of words and numbers.
For people whose attitude to passwords is to reset them each time they visit a site because they have forgotten them, there is help on hand.
Tools are now widely available that will store and organise all your passwords and PIN codes for computers, apps and networks. They can also generate passwords and can automatically enter your username and password into forms on websites.
Such tools store your passwords in an encrypted file that is accessible only through the use of a master password. Examples of such services include KeePass, LastPass and 1Password.
Some firms are starting to offer alternatives to passwords.
Mobile firms including Apple and Samsung are integrating fingerprint-readers which allow users to access their phone and certain functions on it just by swiping their finger on the screen.