In fact, it may have already done so, considering that it amounts to a nuclear option for web hackers. Information security vendors are coming out en masse with tips and tools in the wake of the news to help consumers battle the fallout.
As McAfee pointed out in a blog, Heartbleed is not a virus, but rather a mistake written into OpenSSL—a security standard encrypting communications between users and the servers provided by a majority of online services. The mistake makes it viable for hackers to extract data from massive databases containing user names, passwords, private data and so on.
The Heartbleed Lowdown
For SSL to work to secure communications between a user and a website, the computer needs to establish a link with the web server. The end machine will send out a “heartbeat”, which is a ping to make sure a server is online. If it is, it sends a heartbeat back and a secure connection is created.
The HeartBleed flaw queers the deal by getting in the middle of that communication to send a malicious heartbeat signal to servers. The server is then tricked into sending back a random chunk of its memory to the user who sent the malicious heartbeat, which will likely have email addresses, user names and passwords—everything someone needs to either access accounts and/or mount phishing expeditions via spam. In some cases, the information returned could be the keys to the server itself, which would thus compromise whole swathes of the internet.
“The severity of this vulnerability cannot be overstated”, McAfee concluded.
Some firms are advising users to assume that the worst has already been done, considering that researchers think that it has gone undetected for at least two years. So, companies should be preparing teams to move to detection and post-breach response plans.
But it won’t be that easy, said ThetaRay, in a blog. “The immediate thought on everyone’s mind is that when there is a bug, there is a patch, and the first thing to do is apply it to stop the bleeding”, it said. “Although this may appear to be a solution and a way of allaying the panic, applying patches to the many vulnerable platforms can take at least six to twelve months. Months will pass before vulnerable vendors, and all levels of end users, return to safe OpenSSL-dependent activity.”
In other words, the gloomy forecast is that Heartbleed will live on, well after patches are issued and applied.
“The bug is so far-reaching into internal networks, server communications, and products that were already shipped out to end users that it will take a very long time until it is completely fixed”, said ThetaRay. “While this process takes its course, the even more troubling thought on everybody’s mind is how malicious actors are planning to exploit this flaw and cause maximum damage while they still have the opportunity.”
Protecing from Heartbleed
To stay fully protected, users should wait for the flaw to be patched, and apply a new, unique, long password for each site visited, and plan to switch them out for other new, unique, long passwords on a monthly basis. Which is, of course, much easier said than done .
As a result, HeartBleed opens the door for another discussion on the efficacy of passwords for data protection in the first place.
“My advice? Scrap passwords altogether”, said Chris Russell, CTO at Swivel Secure, in an emailed statement to Infosecurity. “The inconvenient truth is that web users are neither capable nor are they willing to maintain the complex, rolling system of passwords that today’s web environment demands. Passwords have proven over and over again that they are no longer fit to secure the increasing amount of personal data we now store online and in the cloud.”
Some say the problem is more with password management and resetting practices—and that two-factor authentication can solve many issues. "Passwords are not an invalid 'something-you-know,' but the way the industry uses passwords is flawed", said Peter Tapling, president and CEO of Authentify. "Requiring a longer, more difficult password string makes for a poor user experience. Further, many password reset functions use an email link to reset the password. If a fraudster has all of your bank account login information, they likely have your email login as well, making email ineffective as a second authentication channel. The barriers to hijacking an account protected only by a password are just too low.”
Time to Take Action
The discussion about better account protection and the security of the internet as a whole will rage on for the foreseeable future over HeartBleed, but for now, users do need to take action.
“The first thing you need to do is check to make sure your online services, like Yahoo and PayPal, have updated their servers in order to compensate for the Heartbleed vulnerability”, counseled McAfee, which has also released a Heartbleed Checker tool to help consumers easily gauge their susceptibility to the potentially dangerous effects of the Heartbleed bug.
And, very importantly, “do not change your passwords until you’ve done this”, the anti-virus firm stressed. “A lot of outlets are reporting that you need to do this as soon as possible, but the problem is that Heartbleed primarily affects the server end of communications, meaning if the server hasn’t been updated with Heartbleed in mind, then changing your password will not have the desired outcome.”
Obviously, online services affected by the flaw should be sending emails alerting users that they have updated their servers. “But beware: this is a prime time for phishing attacks—attacks which impersonate services in order to steal your credentials—so be extra careful when viewing these messages”, McAfee warned.