The Heartbleed bug was huge news last week and still is. As a hobbyist programmer, I am saddened that attention to the art of software-making was brought on as a result of this alarming situation rather than by something positive. In our previous blog posts on the topic we received a number of questions and comments about how to reduce the risk of a possible attack using this vulnerability. Obviously we are not alone in sharing advice (almost everyone does nowadays), but I keep noticing that the majority of blog posts and articles are more or less devoted to an explanation of technical matters. Of course, this story is highly technical in nature, but when you run your own business you don’t think about it like SSL, Heartbeat, memory dumps and the like. You think about lost profits, the compromise of customer data or the unavailability of your website. Is my company affected? Were my passwords compromised and where? What is the right thing to do right now? These are the topics that I will discuss today.
- Make sure your website is unaffected. Or fix it.
- Change the password for your online bank account.
- Change all other passwords just to be sure. Make sure your employees do the same.
Things to discuss with the IT guy
There is always an IT guy: your full-time employee, a freelance specialist or just a support team from a company that provides you with a web service, virtual infrastructure, etc. This is a person who will eventually clean all the mess and make sure that your data stays safe. In most cases what you have to do is just to ask the right questions.
Did they steal our passwords?
This is not the right question. IT people don’t know (no one does), due to the specifics of the bug. The vulnerability can be exploited without leaving any trace of an attack. This one is correct:
Is our infrastructure vulnerable?
By ‘infrastructure’ I mean almost anything with an internet connection, apart from your laptops and desktops (I will talk about them later). Website? Yes, certainly. File server? Office Internet router? In some cases, they might not be vulnerable, or, even if they are, the vulnerable protocol might not be utilized. But it is a good idea to double-check anyway: the IT Pros will then narrow the list down to services and hardware running Linux or Unix-based systems with OpenSSL installed. We won’t talk too technically here, but it is useful to know the exact vulnerable versions of the OpenSSL library. Everything from 1.0.1 to 1.0.1f is prone to this bug. All versions below or above these are okay.
So my website was (is) vulnerable. What should I do?
Let the IT guys do their work. Or insist on a solution from a company that handles your website. Sometimes upgrading software on a production server is a tricky process, but hey, if major internet giants like Google managed to solve the problem in a few hours after the vulnerability disclosure, on a much more complicated infrastructure, everything else should not be a big problem.
So, closing the vulnerability on the services or infrastructure you are directly responsible for (like your company website), is the first priority. For example, if your website is hosted by GoDaddy, you might start by reading this statement from their website. Next you might want to contact their support and clarify, if your website was affected. The following procedure may require additional steps from your side as well.
The passwords problem
Now we can proceed with the “did they steal our passwords” question. Once again, it is impossible to tell. Is it possible to steal a password from a vulnerable website? Yes. What other passwords could be stolen? Do you have to change passwords at the cloud service of your choice? Was Dropbox vulnerable? GMail? Yahoo? Your bank?
There are two ways to evaluate the risk. First is to conduct the research: lots of companies disclosed a lot of information on the potential vulnerability of their services. Let’s name a few:
- Cloud services Google, Amazon Web Service and Rackspace: affected (via ZDNet)
- Social networks: LinkedIn and Twitter unaffected, Instagram and Tumblr affected (via Mashable)
- E-Mail: GMail and Yahoo affected, Outlook – unaffected.
- Zoho – affected. Basecamp – no. Prezi – yes.
So, if a certain web service was vulnerable and you used it after the vulnerability disclosure and before they fixed everything, you should change your password. Sounds really complicated. Why spend hours on such research, when you can just go in and change the passwords to all services you use, for work or personal matters. The Heartbleed is the perfect occasion to do just that! It is really worth the time spent. Some say that changing the password is useless if a service is still vulnerable, or its certificates were stolen by the attackers. This is true, but, once again, if you are a small company with limited resources, you don’t have time to investigate and sort out the resources you use by their current and future state of security. Just change the password. To be sure, change it once again a month or two later when even the slowest service providers will, hopefully, apply a fix.
The passwords solution
Here are the top five tips on securing your passwords. Keep in mind that we as a security company, stick to these rules regardless of vulnerability disclosures, cyber attacks or other events.
- Use complex passwords. 123456 is not an option.
- Change passwords regularly
- Do not use the same password for different services
- Do not store passwords on insecure medium (text file or piece of paper)
- If available, always use 2-Step verification – when a one-time password is sent to your mobile or generated via a separate app or device. Service like GMail, Zoho and Facebook as well as many banks provide it.
Will Kaspersky protect my laptop?
Finally, let’s talk about your office desktop and your home laptop. If you use Kaspersky Lab’s software on your PC, will the Heartbleed bug affect you? To start with, Windows machines (like your laptop or maybe your Windows-based file server at the office) are not affected by OpenSSL bug. They just don’t use OpenSSL, which is essentially a product of the open-source community. If you happen to run Ubuntu or other Linux flavor, then you should perform an upgrade of course, but now let’s concentrate on the Windows machines.
If they are not affected, does it mean that everything is safe? No, unfortunately. You open your web browser on a Windows machine which is totally secure, navigate to a web service of your choice, enter your password and it gets stolen on the server’s side.
What our products can help you with, apart from protecting you from millions of other cyber threats, is, in fact, managing your passwords. This feature is available as a standalone product named Kaspersky Password Manager, but also as part of Kaspersky Small Office Security (try it here) suite designed for small businesses and Kaspersky PURE for your private PC. These solutions allow you to store your passwords in an encrypted form and easily transfer them from one machine to another, helping to generate secure passwords. It is also the right tool to store and use unique passwords for each web service, which is always the right thing to do.
Have any questions? Want to share a #heartbleed experience? Feel free to leave a comment. Our team is always ready to help.