We have a brand new updated website! Click here to check it out!

Password protected? ‘Heartbleed’ bug and you

Posted on

In case you missed it, a major flaw has been discovered in a number of websites and Internet-related services. I’ll emphasize the “and” because the issue itself goes beyond just navigating the web via your favorite web browser (Internet Explorer, Firefox, Chrome, etc.), although we will just focus on the website/browsing aspect considering that is what will affect a majority of users.

Dallas Haselhorst
Dallas Haselhorst

So what happened? Essentially, an extremely serious bug (or flaw) was discovered in the underlying security of OpenSSL.

OpenSSL is quite likely one of the core features that secures your data when it goes from your computer to the server of your bank, the server of your email providers, etc. Basically, it what keeps your business, your business, and away from the prying eyes of the rest of the world… Or so we thought.

There is a good possibility that the little lock you have been instructed to look for in your day-to-day browsing didn’t mean quite a much as we originally assumed… Well it did, but not for people who knew how to bypass the security prior to the rest of the world learning about it yesterday and today.
How bad is it? Rough estimates are that approximately 60 percent of the web is affected by this “little” bugger.

Ultimately, the real issue is this. The revision of OpenSSL that introduced this issue was in March 2012. What that means is this major security flaw has existed since then. Quite possibly, any website that you have visited in the last two years could have had someone watching everything you were doing and capturing all your traffic including your usernames and passwords.

What are the chances that the good guys found this issue before the bad guys? I would like to think that is the case, but in reality, probably not.

What should you do? If you are a person in the field of information technology, you should probably stock up on energy drinks as you are going to have many hours, days, and likely months ahead of you correcting the issue. If you are a user of online banking, online email, etc. then you are strongly advised to change your passwords on most, if not all sites. It is true that a number of sites were apparently not affected such as Google, Microsoft, and others, but that should not stop you from taking the opportunity to change your passwords and performing a little of your own housekeeping.

We’ll cover the topic of “strong” passwords a bit more at a later date, but the standard should be at least 10 characters with at least one uppercase letter, one lowercase letter, one number, and one special character ($,!,#,*,%,@,+). In addition, this is a wonderful example of why you don’t use the same username and password at multiple sites. Even though your email provider wasn’t affected by this particular security issue, how important is that now since you used that same username/password combination at another site that was affected?

Dallas Haselhorst, CISSP, GSEC, is the founding partner at Sicoir Computer Technologies (www.sicoir.com). He has more than 20 years of IT experience and in that time, he has traveled all over the U.S., physically and virtually, assisting companies large and small with their computers, networks and security. Whether dealing with an individual surfing the web or a business/organization whose primary data relates to PCI, HIPAA, or SOX, he has likely secured it in some way, shape, or form. When he’s not working, Dallas enjoys tinkering in all things technology and spending time with his wife, two children and their family dog.

Copyright Eagle Radio | FCC Public Files | EEO Public File