Heartbleed – A story of Confusion and Conflicting Advice

The general public using all sorts of websites (including financial) using all types of PCs and other browsing devices have been left in a state of confusion by the ‘security industry’ and website owners.

NetPilot have stated that they are NOT impacted and some of its competitors such as Sophos have admitted their users will have to update their products. So some organisations have added some clarity – but they are a very small minority.

Since the initial Heartbleed report was widely published, ordinary people and particularly small and medium sized businesses have been left totally confused over conflicting advice about how to protect themselves from the Heartbleed security flaw.

A number of web and security companies advised individuals to immediately change their passwords as soon as possible before exploits were released that could take advantage of the security flaw. Broadcasters such as the BBC wheeled out their usual motley collection of so-called ‘security experts’ who whipped up concern by stating everyone should immediately change all their passwords.

Others, who actually did a little bit of research or thought about things before diving in front of a microphone to grab the limelight,  warned that rushing to change passwords  could make the problem worse if the service they are using has not patched their OpenSSL (the software with the bug).

Plainly there was no point in changing passwords if hackers could still steal any new passwords. Our advice and that of those with at least some knowledge of the detailed issues advised users was to wait for a day or two before changing passwords to give services the time to update their websites.

What’s this all about?

A security flaw in OpenSSL was uncovered by Finnish Security Company Codenomicon and Google Security. It potentially enables any attacker to be able to crack the encryption that is supposed to protect websites using the open source application. It is typically used to secure password access to systems including financial services.

Codenomicon have produced an excellent Q&A – See here.

So why is Heartbleed any different to any other internet security alert (=panic)?

Two main areas: firstly the huge number of websites potentially compromised and thus vast number of users impacted; secondly the wide scale publicity and alerting the general public to act.

So which sites have admitted they have had a problem and which sites have not said anything?

Yahoo advised users to change passwords having said it was affected but has now updated its systems. They are however one of the few organisations to hold their hands up and say clearly there was a problem – and now we have fixed it.  Tens of thousands of other organisations are saying nothing!

Some observers have made lists of who they think have been impacted or not. See here.

The difficulty with such lists is they are soon out of date and unfortunately determining if a site has updated its software or not from the outside as an ordinary user, is quite difficult for the non-expert.

Generally few website owners saying anything.

Who definitely has not been impacted?

This is an easier question to answer! Websites running Microsoft servers have not been affected as they do not use OpenSSL. So how can I tell who is using what? Tools such as Netcraft can give some of this information –  See here. However, this is not perfect nor easy to understand for the average PC user who wants simple clarity.

As Google were part of the team that publicised the issue in the first instance one would guess they have fixed all their issues – if there were any – before Heartbleed became public knowledge.

So what to do now?

Look to see if any of the website you use are offering any information. None of the financial sites I use are actually saying anything.

Changing your passwords now is definitely a good idea. Ordinary users are also in a state of confusion about discovering what were their passwords, what to choose now as a more secure new passwords, as well as worrying about how to remember all this new information.

However this has brought out another rash of so-called experts advising how to remember passwords. Some of this advice is embarrassingly awful. It also has brought out the password management sales people claiming now is an ideal time to use their products. Personally keeping all my passwords in one place and that place being online with several million hackers no doubt attempting a beach every hour of the day does not seem smart to this writer.

Has anyone learnt anything? Will the IT and Security Industries handle things better next time?

This writer very much doubts it. Next week and next month this will be very old news. The vast majority of website owners will not publicise whether they have had a problem or not, nor will they admit if they have had a breach which has been exploited. Things will just go very quiet on the subject. Not the ideal situation!

Dave Abbot for NetPilot

 

No Comments Yet.

Leave a comment