Heartbleed Bug – What You Should And Shouldn’t Do

If you are looking for information about the Heartbleed bug and what you, or your business, should do next then the good news is that there is already a huge amount of information on the net and in mainstream media. The bad news, however, is that some of the advice on offer isn’t the greatest.

The Heartbleed bug is a vulnerability in a component of recent versions of SSL which is used by many services across the web including banks, email providers and shops, to provide a secure connection between the service and the user. Whilst the average web user may not be aware that they have used it, they will undoubtedly be familiar with the padlock icon in the top left corner of their browser which denotes that it is in use.

At around the same time that the flaw was identified, an online tool was released that allows anyone to force a web server running a vulnerable version of SSL to dump the data it has most recently processed. The information available from that data could be anything but there is a very real chance that it could include the usernames and passwords of recent visitors, administrator credentials and all manner of other sensitive data.

Anyone using such a tool on a vulnerable server could continuously dump data from the same or different sites and quickly compile a huge list of login credentials.

That is why many websites, bloggers and news outlets are advising everyone to change their passwords but there are some dangers associated with such simple advice.

The main issue is that some people may rush out to change all their passwords without arming themselves with additional essential information.

Should you change your password on a site that is vulnerable to Heartbleed, but not yet patched, then you will have achieved nothing and may even have made matters worse as your new password will now likely be easier to snag when the bad guys dump the server’s recent data. And don’t forget that the publicity surrounding the bug means that the number of people trying to take advantage of it has likely increased exponentially over the last few days which makes that possibility all the more likely.

Therefore, it would be advisable to do a little research before changing your login credentials.

Before changing any passwords you will want to know:

  • Was the website vulnerable in the first place
  • Has the server been patched yet
  • Has the site ejected its previous SSL certificate and replaced it with a new one
  • Has the entity behind the site confirmed that it has been fixed

To help you out I have listed a few high profile sites below to get you started:

Service Is it vulnerable? Has it been patched yet? Should you change your password?
Amazon No Not Needed Yes, if reused on another service that is vulnerable
Amazon Web Services Yes Yes Yes
Apple Unknown Unknown Unknown
Barclays No No Yes, if reused on another service that is vulnerable
Dropbox Yes Yes Yes
eBay No Not Needed Yes, if reused on another service that is vulnerable
Evernote No Not Needed Yes, if reused on another service that is vulnerable
Facebook Yes Yes Yes
Fox News No Not Needed Yes, if reused on another service that is vulnerable
GoDaddy Yes Yes Yes
Google/Gmail Yes Yes Yes
Hootsuite No Not Needed Yes, if reused on another service that is vulnerable
HSBC No Not Needed Yes, if reused on another service that is vulnerable
If This Then That Yes Yes Site will force a password reset
LinkedIn No Not Needed Yes, if reused on another service that is vulnerable
Lloyds No Not Needed No
Microsoft services No Not Needed Yes, if reused on another service that is vulnerable
OkCupid Yes Yes Yes
PayPal No Not Needed Yes, if reused on another service that is vulnerable
Pinterest Yes Yes Yes
RBS/Natwest No Not Needed Yes, if reused on another service that is vulnerable
Reddit Yes Yes Yes
Santander No Not Needed Yes, if reused on another service that is vulnerable
Tumblr Yes Yes Yes
Twitter No Not Needed Yes, if reused on another service that is vulnerable
Vimeo Yes Yes Yes
Walmart No Not Needed Yes, if reused on another service that is vulnerable
Washington Post Yes Yes Yes
Wikipedia Yes Yes Yes
Yahoo/Yahoo Mail Yes Yes Yes

If you are concerned about sites not included in that list, and you likely are, then there are several tools available to help you determine whether or not a particular site is vulnerable:

If you identify that one or more of the sites you use is vulnerable you will then need to find out whether the problem has been fixed or not. The best way to do so is my visiting the site itself, or accompanying blog, where that information should be prominently displayed (one would hope). If it is not obvious whether the site has fixed the vulnerability then do yourself, and other web users, a favour by contacting the company or site owner and asking for confirmation.

Only when you have discovered a site that was both vulnerable, and subsequently fixed, should you change your password.

When you do so, remember ourĀ 10 tips for making a secure password:

  • passwords should be a combination of letters, number and symbols
  • never reuse passwords on multiple sites
  • change passwords regularly
  • passwords should be at least 8 characters in length
  • mix upper and lower case letters
  • avoid using ‘dictionary words’
  • never make a password from personally identifying information such as pet or family member names
  • avoid common words, even in combination with other symbols or numbers
  • never share your passwords with anyone
  • use a password manager so you can keep track of all your passwords without writing them down

Furthermore, when changing any passwords as necessary, it would be a good time to see if the site offers two factor authentication which will add an additional security layer and make it much harder for an attacker to access the account, even if they do acquire your password.

Lastly, remember that popular news stories often lead to other types of attacks – be on your guard for emails suggesting that you click through some link to access Heartbleed bug detecting tools or offering fixes. Whilst some security companies may genuinely be sending out such tools or advice, phishers will likely be using such bait to snare additional victims too.

Thanks to Sarah Clarke (@S_Clarke22) for inspiration.

2 thoughts on “Heartbleed Bug – What You Should And Shouldn’t Do

  1. Another must do when it comes to Heartbleed is to create an inventory of all systems on your network that may be running OpenSSL. High profile websites are the obvious ones but in todays Internet of things world, many devices run web services. I checked my home network and found a NAS system and a network connected media player running OpenSSL

    Darragh

Comments are closed.