Thursday, April 10, 2014

Internet Security Alert: Heartbleed

OOTJ readers may already have read about Heartbleed, the newest Internet security problem. But just in case you have not heard about this, here is your heads up. The Boston Globe today offered an article by Hiawatha Bray, their wonderful tech columnist, who concludes that "The Heartbleed scare is as bad as it sounds."

Heartbleed is a security glitch at the heart of the security of the Internet, that came about through sloppy coding, in an update of the OSSL software that provides the encryption for about two thirds of Internet sites worldwide. Encryption means the software that scrambles your data as it leaves your computer so it travels safely over the Internet. Only the target network should be able to decrypt the data you sent. So, if you are buying something from an Internet vendor, you send your name, address, credit card number over the web, feeling secure with that https:// in front of the URL. That is what the additional "s" is telling you - that the information is being decrypted between your computer and theirs, for secure transactions.

But a little bit of bad code (OSSL is Open Source, collaboratively coded), in 2012 (!) introduced a serious security lapse in how OSSL has been working. The "secure" data stored at the OSSL-secured servers can be searched and retrieved by hackers. Somebody at Google and at a Finnish security company discovered the problem and announced it this past Monday. A security researcher, for instance, was able to retrieve a name and password from Yahoo mail. Hiawatha Bray did a little checking:
Yahoo says it has fixed the problem on its servers. Meanwhile, other major Internet companies are also offering reassurances. I pinged Amazon.com, Facebook, tax preparation company Intuit Inc., and the Internal Revenue Service. All replied that their computers are not vulnerable to the Heartbleed problem.
He then points out that nobody has reported that their bank accounts have been emptied over the past two years while Heartbleed was laying out there waiting to be exploited. On the other hand, Bray also notes that spy agencies like the NSA or China's Ministry of State Security could have been using Heartbleed as a backdoor for some time and nobody would know. Unlike other hacking access points, Heartbleed leaves no marks!

So, the recommendations of security experts? For at least a few days until the Heartbleed code problem is repaired and replaced at all relevant websites,

1. Do not do any shopping or enter personal information on websites.
2. Wait a few days for Heartbleed to be repaired, then change all your passwords, at least for websites that collect personal information, and
3. Remove all the cookies from your computer, at least the ones for websites that collect personal information.

Image of the bleeding heart flowers is from the Wikimedia Commons, a photo by Pharaoh Hound, who posted it under the the Creative Commons Attribution-ShareAlike 3.0 License. The photo is of the flowers of a pink Bleeding Heart (Dicentra spectabilis)- I couldn't bear to put up the more anatomical bleeding hearts I found out there! Thank you, Pharaoh Hound!

No comments: