The Heartbleed wrap up

Lots of useful resources have been published in the wake of the exposure on April 7th of the "Heartbleed" bug.
Here's my pick of the best articles and resources available online - whether you need help, or you just want to know more.

What you need to do now (if you haven't already)

Check this list of popular sites to see if any you use were affected. If they were, it's important to change your password as soon as possible, as it could have already been stolen by attackers.

If you run a website then you need to do to check whether your site is vulnerable, and if it is, then there are actions you need to take to safeguard your customers and your data.
Test whether your site is vulnerable using this tool https://filippo.io/Heartbleed/

The official heartbleed website has information about what to do next if your site is vulnerable.

Understanding the problem

The problem is complex and not easy to understand. Lots of sites did a write up of the issue to explain it but some were more successful at this job than others.

I particularly like The Economist’s article entitled Digital Heart Attack and this cartoon in the xkcd series explains how an attacker can exploit the bug it an a very visual way.

Protecting your passwords going forward

Two unfortunate facts of modern life are that there are always going to be security issues and that passwords are going to get lost or stolen. The best single change you can make to protect yourself is to use two factor authentication – which means that to log in to the site you have to enter another piece of information as well as your password. It requires both "something you know" (like a password) and "something you have" (like your phone). It means that even if someone steals your password the “something you know”, they still can’t log in to your account unless they also have the “something you have”.

This video on youtube, created by Google does a really good job of explaining it and how to use it to protect your Google account.

This recent blog post by the Wall Street Journal explains how to enable it on 11 major web services including Google, Twitter, Facebook  and Apple.

Full list of links referenced
The Heartbleed Hit List: The Passwords You Need to Change Right Now http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/#:eyJzIjoiZiIsImkiOiJfYzZleDAwZGhtZGltaTl1ZyJ9

The Economist: Digital heart attack (April 12^th 2014) http://www.economist.com/news/business/21600691-flaw-popular-internet-security-software-could-have-serious-consequences-all-sorts

Heartbleed explanation by xkcd
http://xkcd.com/1354/

Official heartbleed site

http://www.heartbleed.com 

Youtube video on two factor authentication
https://www.youtube.com/watch?v=zMabEyrtPRg

Safety First! How to Sign Up for Two-Step Verification on 11 Top Online Services http://blogs.wsj.com/personal-technology/2014/04/11/safety-first-how-to-sign-up-for-two-step-verification-on-11-top-online-services/

(This post was adapted from one I wrote for our internal company intranet site.)

Virgin Mobile: a case study on how not to implement password authentication

This article caught my eye today. Virgin Mobile shows everyone all the places you can go wrong when implementing website password authentication.

The good side of this story? I am planning to use this as a case study when discussing web app authentication with our software developers. Not much comfort if you're a VM customer though.

Social Engineering, or "Why I hate so-called Security Questions"

 You may have already read the story of a Wired reporter, Mat Honan, whose online accounts were hacked by an attacker who used social engineering tricks and then wiped data from his phone, his laptop and took over his and his employer's twitter accounts to broadcast homophobic and racist messages on his behalf.

Here's the original story that recounts all of the security failings by Mat himself, by Apple, Amazon and Google in detail.
Here are articles about changes that Amazon and Apple are making to their customer care procedures in the wake of this attack,
and here's a good article which gives a lot of good advice on how to avoid being hit by the same or similar fate.

A lot of the advice in the article has been preached by security professionals like me for years. This story is a great illustration of why I think reliance on "security questions" by businesses as a way of establishing identity of an individual is totally ridiculous in 2012. By "security questions" I mean the type of questions a business asks you like what town you grew up in, or your mother's maiden name or what year you were born etc. etc. The ones they think will really let them be 100% sure it's really you they're talking to. The problems is, anyone can find the answers to these questions about you on Facebook, or by searching other public information sources.

Photo by Dave Delaney on Flickr

The only way that "security questions" can actually work as an effective identification mechanism is if you use intentionally false and random answer that only you could ever know, (and you keep a record of it).
For example, if you set up an account and are asked for your mother's maiden name  - why not answer "geranium", "roulette", or "haddock" (assuming none of those are correct answers for you). Make a note of the answer you've given to this organization, and in future even someone who can google your entire family tree will never find the correct answer in any kind of online public record. You'll be able to supply the correct answer, because you made a note of the answer you gave when creating the account. You did remember to do that right?

In the case of Mat Honan, unfortunately customer service staff gave attackers access to his online account EVEN THOUGH the attackers could not answer the security questions required. So, obviously the method I outlined above will not help you in this case. Check out the third article in the list for other helpful advice that would have helped Mat, and can help you avoid sharing his fate.

Do you have any suggestions of other advice that would have helped? Leave a comment below.

[Updated Aug 8 2012 to add a link to story about Amazon's changes to their procedures after this attack.]

Malicious e-mails: new and improved!

"The payment you sent"
"Please confirm your LinkedIn password"
"Your bill is now available"
"Your paypal.com transaction"

Recently I've received a number of e-mails about services I use and subscribe to; some of the subject lines are shown above. The e-mails look very genuine, and they are normally telling me about a problem with my account and urging me to click the "Login" button as soon as possible to resolve the issue. If my personal experience is anything to go by, recently these scam e-mails are looking more and more like the real thing. They are designed to look as "official" as possible and they are solely designed to prompt you to log in to your account at PayPal, or your bank, or your mobile phone company, or LinkedIn - I've received examples purporting to be from all of these companies in the last week or so.

Of course, when you click the "log in to my account" link from the scam e-mail, you're not actually going to the real site but a site created by the attacker which looks identical (apart from the address in the url bar, which will NOT be the address of the site you think you are logging into but something which looks almost the same).

After you've logged in to the fake website, the attackers will take a copy of your log-in details. They can then either use the username and password they now know to log you in to the real site and redirect you to it (so you'll never know what just happened) or they can show you a page which says the site is "down for maintenance, please try later" - again, you might not suspect that your details have just been stolen. After that, the attackers can do whatever they like to your account. For example, they can transfer money to their own account, and you'll probably have a hard time proving that it wasn't you.

If you have any suspicions about an email you receive, never click on the link inside the e-mail. Instead, go to the account it relates to by typing the address into the browser yourself. That way you know you're going where you think you're going.


What do you think? Have you noticed the "quality" of these types of email improving recently? Let me know in the comments.

Security mindset

Interesting article about the mindset of security practitioners - thanks to Bruce Schneier for highlighting this one.

Password questions

A report from CNET about the compromise of thousands (the exact number of accounts compromised seems to be disputed, but seems to be over 20,000) of twitter account credentials.

If your account is affected you should've already been notified and should follow the instructions. If you're not directly affected, now might be a good time to revisit your password for twitter and other online services and ask yourself some questions:

1. Am I using the same password for multiple services?
2. Could someone who knows me (or who can find me online) easily guess the password I'm using?
3. Is the password strong (letters, numbers and ideally special characters)?