The Heartbleed wrap up

Lots of useful resources have been published in the wake of the exposure on April 7th of the "Heartbleed" bug.
Here's my pick of the best articles and resources available online - whether you need help, or you just want to know more.

What you need to do now (if you haven't already)

Check this list of popular sites to see if any you use were affected. If they were, it's important to change your password as soon as possible, as it could have already been stolen by attackers.

If you run a website then you need to do to check whether your site is vulnerable, and if it is, then there are actions you need to take to safeguard your customers and your data.
Test whether your site is vulnerable using this tool https://filippo.io/Heartbleed/

The official heartbleed website has information about what to do next if your site is vulnerable.

Understanding the problem

The problem is complex and not easy to understand. Lots of sites did a write up of the issue to explain it but some were more successful at this job than others.

I particularly like The Economist’s article entitled Digital Heart Attack and this cartoon in the xkcd series explains how an attacker can exploit the bug it an a very visual way.

Protecting your passwords going forward

Two unfortunate facts of modern life are that there are always going to be security issues and that passwords are going to get lost or stolen. The best single change you can make to protect yourself is to use two factor authentication – which means that to log in to the site you have to enter another piece of information as well as your password. It requires both "something you know" (like a password) and "something you have" (like your phone). It means that even if someone steals your password the “something you know”, they still can’t log in to your account unless they also have the “something you have”.

This video on youtube, created by Google does a really good job of explaining it and how to use it to protect your Google account.

This recent blog post by the Wall Street Journal explains how to enable it on 11 major web services including Google, Twitter, Facebook  and Apple.

Full list of links referenced
The Heartbleed Hit List: The Passwords You Need to Change Right Now http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/#:eyJzIjoiZiIsImkiOiJfYzZleDAwZGhtZGltaTl1ZyJ9

The Economist: Digital heart attack (April 12^th 2014) http://www.economist.com/news/business/21600691-flaw-popular-internet-security-software-could-have-serious-consequences-all-sorts

Heartbleed explanation by xkcd
http://xkcd.com/1354/

Official heartbleed site

http://www.heartbleed.com 

Youtube video on two factor authentication
https://www.youtube.com/watch?v=zMabEyrtPRg

Safety First! How to Sign Up for Two-Step Verification on 11 Top Online Services http://blogs.wsj.com/personal-technology/2014/04/11/safety-first-how-to-sign-up-for-two-step-verification-on-11-top-online-services/

(This post was adapted from one I wrote for our internal company intranet site.)

The SANS Holiday hacking challenge

The SANS guys have developed a pretty impressive holiday-themed hacking challenge. Speaking as someone who creates crisis management table-top exercise scenarios as part of my job, I'm always impressed by the level of effort and details that goes into creating these challenges.

Even if you don't have the type of skills required to participate in a challenge like this, you can still benefit from  it, by using it as a chance to get inside the mind of an attacker and think like "they" think.
Then, continue in that mindset and turn your attention to your own organization's network. How would you attack it if you were inclined to - what would you target?

Your own security program will benefit if you start to think like this.

Hakin9 magazine exposed by security researchers

Speaking as someone who has recently received multiple requests from hakin9 to contribute articles to their magazine, I found this article on The Register very entertaining.

I received a request from hakin9 (at the time I hadn't heard of their website or magazine) asking for an article on achieving the CISSP certification. I was interested and replied asking for more detail on what they were looking for. They responded but I was busy and never wrote anything for them.
Then a week or so later I received another request asking me to contribute an article about SNORT but it seemed to me that whoever had written the request didn't really understand what SNORT was - which I thought was odd and forgot all about it, until someone sent me the article above. Enjoy!

Hooking the big one?

A sensitive computer network belonging to the US government has been compromised in a targeted spear-phishing attack - as reported by Bill Gertz on the Washington Free Beacon's web site.

Additional write up on CNET News.

Both stories say that China was behind the attack, but this brings to my mind the problem of attack attribution in this kind of situation. The only evidence the articles cite is that the attackers "used servers located in China". How easy is it to rent hosting space in a Chinese data center and attack the US, in order to make it look like the Chinese are behind it? I'm not sure. Wouldn't Chinese state-sponsored hackers use a third party country to avoid attracting attention? Or maybe that's what they want us to think?

Virgin Mobile: a case study on how not to implement password authentication

This article caught my eye today. Virgin Mobile shows everyone all the places you can go wrong when implementing website password authentication.

The good side of this story? I am planning to use this as a case study when discussing web app authentication with our software developers. Not much comfort if you're a VM customer though.

Social Engineering, or "Why I hate so-called Security Questions"

 You may have already read the story of a Wired reporter, Mat Honan, whose online accounts were hacked by an attacker who used social engineering tricks and then wiped data from his phone, his laptop and took over his and his employer's twitter accounts to broadcast homophobic and racist messages on his behalf.

Here's the original story that recounts all of the security failings by Mat himself, by Apple, Amazon and Google in detail.
Here are articles about changes that Amazon and Apple are making to their customer care procedures in the wake of this attack,
and here's a good article which gives a lot of good advice on how to avoid being hit by the same or similar fate.

A lot of the advice in the article has been preached by security professionals like me for years. This story is a great illustration of why I think reliance on "security questions" by businesses as a way of establishing identity of an individual is totally ridiculous in 2012. By "security questions" I mean the type of questions a business asks you like what town you grew up in, or your mother's maiden name or what year you were born etc. etc. The ones they think will really let them be 100% sure it's really you they're talking to. The problems is, anyone can find the answers to these questions about you on Facebook, or by searching other public information sources.

Photo by Dave Delaney on Flickr

The only way that "security questions" can actually work as an effective identification mechanism is if you use intentionally false and random answer that only you could ever know, (and you keep a record of it).
For example, if you set up an account and are asked for your mother's maiden name  - why not answer "geranium", "roulette", or "haddock" (assuming none of those are correct answers for you). Make a note of the answer you've given to this organization, and in future even someone who can google your entire family tree will never find the correct answer in any kind of online public record. You'll be able to supply the correct answer, because you made a note of the answer you gave when creating the account. You did remember to do that right?

In the case of Mat Honan, unfortunately customer service staff gave attackers access to his online account EVEN THOUGH the attackers could not answer the security questions required. So, obviously the method I outlined above will not help you in this case. Check out the third article in the list for other helpful advice that would have helped Mat, and can help you avoid sharing his fate.

Do you have any suggestions of other advice that would have helped? Leave a comment below.

[Updated Aug 8 2012 to add a link to story about Amazon's changes to their procedures after this attack.]

The CloudFlare breach - and what it means for organizations

In July an attack on a content delivery company, CloudFlare, exploited weaknesses in the two-factor authentication systems Google provides to protect personal and business accounts. 

Google issued an update to correct a flaw the proces used to recover passwords which allowed the attack to take place, and the CEO of CloudFlare, Matthew Prince wrote an extensive blog entry about the attack, their investigations, and giving advice to organizations on protecting themselves from the same attack.

The attack highlighted the need for organizations using software-as-a-service email providers to review the "lost password" procedures for their administrator accounts on those services, and ensure that all contact methods they will use to receive messages about password resets are secure and cannot be redirected or accessed without their knowledge.