Heartbleed Shouldn’t Be a Headache

I’ve had an exciting 24 hours that served as a good reminder of why we should all have a winter survival kit in our cars.

I took a fast trip out of town this weekend. I was all set to return on Sunday to my little abode at 8,000 feet in the Rocky Mountains when I, along with thousands of others on Interstate 70, ran into one of the spring snowstorms for which the Rockies are famous.

All would have been fine if everyone driving in the Rockies would use proper equipment. But, from experience, I know that is never the case. There are always folks who don’t have the appropriate tires, or chains, or four-wheel drive. So at some point, even if you’re prepared, you’re at the mercy of the unprepared nitwits on the road.

Long story short, while I didn’t spend the night in my Jeep, I did spend it in a motel instead of my bed at home. Not a big deal. But, a great reminder to always have a winter survival kit in your vehicle if you live in areas with unpredictable weather.

In fact, I’ve had a winter survival kit in my vehicle ever since I put the east coast in my rearview mirror and moved to the Rockies more than a decade ago. I’ve used that winter survival kit once and, believe me, it made for a much warmer and safer night on Gore Pass than if I hadn’t been prepared.

Before I turn to the main subject of this Self-Reliance Institute Advisory – the Heartbleed bug – here is the link to your free copy of the April 2014 Self-Reliance Institute Newsletter. I hope you enjoy it! Please feel free to share it with your friends and family! Please click –> HERE.

OK, let’s talk Heartbleed.

By now, members of the Self-Reliance Institute have seen dozens of reports about “Heartbleed.” In fact, it’s hard to turn on the news or read a newspaper or news website without seeing multiple stories and recommendations about Heartbleed.

And while there’s no doubt that some in the media are trying to scare folks so they’ll watch or read the stories, Heartbleed is a true threat. Emphasis on threat – not an actual exploit so far.

So before Heartbleed becomes a real headache, let’s discuss what you need to know and do.

First, it’s important to define the Heartbleed bug. The best definition comes from Heartbleed.com:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.” [emphasis (underlining) added by me]

In a nutshell, because of the large number of systems and websites impacted, the Heartbleed bug means we should act as if every secure and private communication is at risk.

The good news is that there is no verifiable evidence that the Heartbleed flaw has been significantly exploited by cybercriminals.

The bad news is that now that everyone knows about Heartbleed, you can bet cybercrooks are quickly moving to take advantage of the flaw.

As an information security consultant, I’ve been inundated with dozens of reports on how to handle Heartbleed. But, at times like these, I turn to one or two folks in the information security business that I know I can trust and rely on for impeccable advice.

One of those gurus is Brian Krebs of KrebsOnSecurity.com. Here’s what Krebs has to say about how to deal with the threat of Heartbleed:

I believe it is a good idea for Internet users to consider changing passwords at least at sites that they visited since this bug became public (April 7, 2014). But it’s important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords. Here are some resources that can tell you if a site is vulnerable: [emphasis (underlining) by Krebs]





Krebs goes on to say:

It is likely that many online companies will be prompting or forcing users to change their passwords in the days and weeks ahead, but then again they may not (e.g., I’m not aware of messaging from Yahoo to its customer base about their extended exposure to this throughout most of the day on Monday). But if you’re concerned about your exposure to this bug, checking the site and then changing your password is something you can do now (keeping in mind that you may be asked to change it again soon).”

And this from Krebs is very, very important!!

Given the growing public awareness of this bug, it’s probable that phishers and other scam artists will take full advantage of the situation. Avoid responding to emailed invitations to reset your password; rather, visit the site manually, either using a trusted bookmark or searching for the site in question.”

{If you want to read Krebs’ full report, click –> HERE}

Friends, I can’t emphasize that last point enough. Every time one of these malicious exploits happens, phishing emails swamp inboxes with links that will do more harm than the original exploit (in this case, Heartbleed) itself. So, as always, don’t trust links in emails that you aren’t 100% certain who the sender is and that the sender hasn’t been duped as well.

So when it comes to Heartbleed, the bottom line is change your passwords – while you’re at it, beef up those passwords!! – and be prepared to change them again if you get a notice from the various websites and companies you use online.

If you have questions, drop me a line at [email protected]

Be safe and secure,

Rob Douglas

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.