10 Apr 2014

Heartbleed: why you should change passwords

This is about an obscure but vital piece of internet architecture call SSL, or Secure Sockets Layer. Despite the fact that it underpins much of the internet security you take for granted, for example, internet banking, you may not have heard of it. Perhaps news of a serious flaw in this system will encourage more people to get a grip on the technology that’s playing an increasingly pivotal role in our lives.

10_hacking_g_w

Here’s how it works, in layman’s terms: when you visit the website of your bank, email provider, or any service which requires a bit of secrecy, your computer opens up a private tunnel through which to send traffic back and forth, so that no-one can snoop on the information.

This tunnel is the Secure Socket Layer (SSL). You can tell when it’s active because, in most internet browsers, a padlock symbol will appear next to the website address. The keys to that tunnel are held by a third party, which means they can be accessed by both your computer and the website you’re accessing, be it your bank, email provider, or whoever.

OpenSSL is one of the main providers of those keys. Some earlier versions of their system have been found to be vulnerable to attack, nicknamed Heartbleed, meaning a hacker can get the keys to a user’s private tunnel, and hoover up the sensitive information passing through it, such as login names and passwords.

It’s bad news, and yes, changing passwords is a good idea. But there a few reasons to be level-headed. Firstly, it only affects earlier versions of OpenSSL, so companies who regularly update their software are safe.

Secondly, now that the vulnerability is known, companies are rapidly patching their systems to secure against it.

But here’s the odd thing about this story: generally when a hacker discovers a flaw like this, they sell it to one of the main cybercrime gangs, who abuse it as much as they can. At some point, news of its existence leaks out, at which point the wider criminal community start exploiting the vulnerability.

Eventually it gets into the hands of low-level operators, who post the hacked information on forums, tipping off law enforcement agencies and security firms who then start advising companies on how to plug the holes in their security.

What’s odd is that this OpenSSL problem has reportedly existed for two years, and has only just become public. That makes me think of two potential explanations: one, that the vulnerability was never discovered by the criminal community, in which case we’ve dodged a bullet. That the optimistic explanation.

Here’s the pessimistic one: the vulnerability was kept a carefully guarded secret by one cybercrime gang or group of gangs who’ve been systematically milking it for two years to hoover up gigabytes of sensitive traffic and perpetrate fraud and identity theft on an epic scale.

Regardless of whether you see the glass as half full or half empty, changing passwords is worth doing, and to be honest, it’s something you should probably do every six months or so anyway. It’s a pain, I know, but to quote Thomas Jefferson and others, “the price of freedom is eternal vigilance”.

A strong password includes upper and lower case letters and numbers, and should be unique to the account. Non-dictionary words are best: for example, take the first letter from each word in a line from your favourite song or book.

So for example, “Romeo Romeo wherefore art thou Romeo” would become ‘rrwatr’. Add a number that’s significant for you, perhaps the first ascent of Everest in 1953. That gives you ‘rrwatr1953’.

You also need to make a unique password for each site, which sounds like a hassle, but you can simply amend the same password, for example ‘BOOKrrwatr1953’ for Facebook, ‘TWEETrrwatr1953’ for Twitter, etc.

Follow @geoffwhite247 on Twitter