Monthly Archives: April 2014

Heartbleed Action List For End-Users

Most likely you have heard of the “Heartbleed” vulnerability that plagues websites using a common open source application.  Web site administrators are busy implementing patches to remove the vulnerability.  However, since the Heartbleed exposure had continued for the past two years, this message offers suggestions to web users to protect personal security.

What is Heartbleed?

Heartbleed is not a malicious software virus, but rather a bug or “glitch” in many websites that used the OpenSSL application to exchange confidential information, such as passwords.  This popular XKCD cartoon illustrates how a website with the vulnerability could be “tricked” into revealing private information.

What websites are vulnerable?

It turns out that a millions of password protected web sites used this helpful open source application. Security consultant Bruce Schneier has said that on a scale of one to ten, this breach is an eleven!  The websites using OpenSSL for password exchange have exposed those passwords to disclosure.  A specific examination of popular websites reveals that sites such as Facebook, Yahoo, and Google (including Gmail) are included.  Although many bank and government sites were not affected, it is possible that the same password was used at multiple sites.  The affected websites are currently in various stages of patching the OpenSSL application to remove the problem.

What should end-users do?

Web users should take this opportunity to address specific Heartbleed exposure, as well as to improve password security in general.  The recommended steps include:

1.     Install the Heartbleed extensions available for Chrome and Firefox.  These will alert the user if a site is still vulnerable to Heartbleed.  After installing the browser extension, vulnerable sites such as (currently) https://tricider.com may be used to test these Chromebleed or Foxbleed extensions.  Figure 1 displays the Chromebleed pop-up on vulnerable sites.

Figure 1 Chromebleed display for sites vulnerable to HeartbleedScreen Shot 2014-04-16 at 7.57.54 AM.png

2.  After verifying that your password protected site is no longer vulnerable to the Heartbleed bug, it is time to change your password. 

3.     Now is the time to improve password security by NOT using the same email or username and password at multiple sites.  It has even been suggested that not repeating passwords is more important than using complex passwords.

4.     Attackers do not need to be very creative to test login information obtained from one site at other sites, such as banks.  Since this means you will need to keep track of multiple passwords, consider using a password manager, such as Lastpass or Keepass.  A search of “best password managers” will provide other suggestions, such as this review by PC Magazine.

a.     Be aware that users, for various reasons, are advised NOT to store passwords in browsers.

b.     Security questions are also problematic, as the “shared secret” is often easy to discover by an attacker.  Consider using fictitious or misspelled information that you can remember.

5.     Be creative with your password.  Attackers do not begin with random or “brute force” guesses.  It is far easier and quicker to use abundantly available hacker dictionaries of frequently used passwords.  For example, the top twenty-five passwords of 2013 were led by “123456” and “password.”

6.     One option is to use a web or app-based password generator, such as http://passwordsgenerator.net/.  Another option is to use the first letter, including capitalization and number, from a favorite lyric or even a phrase such as “In 2008 I graduated from Chicago High School” to create the password “I2008IgfCHS.”  Replacing some of these characters with symbols may increase security.  It is specifically discouraged to use English words, or even English words with predictable substitutions, such as “pa$$word.”

7.     Consider using “second form authentication” (SFA) or “2-step verification” when it is offered, such as by Google, Yahoo, and Facebook.  With SFA, access requires something the user “knows” (e.g., password”), with something the user “has” (e.g., a cellphone).

Finally, do not be surprised if you find yourself having to replace passwords in the near future when the next vulnerability is revealed.  Improving steps for this breach will streamline future demands!

Further reading