0nl1ne $ecur1ty

I'm posting early this week as I thought this post may be helpful in calming a few nerves (or confusing a hell of a lot of people). You’ve probably all seen the headlines in the news recently about the Heartbleed security bug that has got the world panicking, but for some of you the headline and the first few lines are likely as far as you got. At first they were saying that you should change all your passwords, then they were saying that you shouldn’t do it yet. So what’s going on and does it affect you? 

[To anyone that knows about IT, this post may offend you with it's clunky metaphors. Back away slowly, nobody needs to know you were here.]

Before we discuss anything further it will help you to know that when you delete anything on a computer it isn’t actually erased. All that happens is that the memory location where that data sits is flagged as available. That data will still be there until the computer sends other data to overwrite it. You may not be able to see it, but it’s still there.

Heartbleed

Heartbleed exploits this fact. This is it in an extremely simplified nutshell. Heartbleed is basically a problem with the communication between your computer (or tablet, or smartphone) and pretty much any server (web computer) that it talks to when requesting secure web pages. To check that both ends are still connected and ready to exchange secure data they perform a ‘heartbeat’ - your end sends a message that effectively says “if you’re still connected, send me back this word “badger”, it has 6 letters” (it doesn’t have to be badger, it can be any word. I like badgers). The server receives it and sends back “badger”. Both ends are happy and they get on with the exchange. This happens hundreds of times for each exchange. With me so far? Easy, right?

The problem arises when a computer sends a ‘heartbeat’ that’s a bit tricksy - “if you’re still connected, send me this word “badger”, it has 100 letters”. Spot the deliberate mistake? The server doesn’t (or didn’t). They simply see it, respond with “badger….” and the next 94 letters that are sitting in that part of it’s memory. It could be rubbish. Most of the time it probably is rubbish, but sometimes the thing that’s sitting in that next bit of memory is a password, or bank details, just waiting to be overwritten.

This comic from xkcd.com is a fantastic explanation, if you’re still unsure. To be honest, I’ve just read back my explanation and now I’m confused!

From XKCD.com, where a wealth of knowledge and humour resides

The scary thing is that this bug has affected secure servers across the world, because they all use the same protocols and the same code. The bad guys (the ones with goatee beards, you’ve seen them) can send thousands of heartbeats, one after the other, just to see what they get. Sometimes they’ll get lucky. 

Computer companies, banks, online security firms are rushing to correct the problem now. The fix is a simple one (well, the code is relatively simple), but it has to be done absolutely everywhere so it will take some time. The major browsers (Internet Explorer, Chrome, Firefox and Safari) have all been updated (let your computers update, people!), but the biggest issues are probably smartphones. This code is built into the operating systems and they can take some time to get a refresh.

What about me?

So, are you compromised? Who knows? Keep an eye on your most sensitive things for the moment, but hold off on changing your passwords. Chances are that if you haven’t been caught out by it yet you’ll probably be ok. The papers were clamouring that we all need to change our passwords, it was the end of the world, but if we all rush to change them now and the code hasn’t been fixed? Yep, you’ll actually be giving your new password to the goatee-clad evildoers! They’re all there now, like the child-catcher, poised with a big net to steal all your data.

A few rules:

• If you receive an email telling you to change your password on one of the sites you use, don’t click on any links in that email, especially if it’s from ‘your bank’. Legitimate emails will ask you to visit in the usual way to change your password. Fake emails could send you to fake sites and then you’ll be giving the miscreants all your information.
• Go to the homepage of a site that you regularly visit - the big names will all have information or links to tell you if their services have been affected by this bug.
• If you really must log on now, use a computer rather than your phone, it's more likely to have been patched.
• Keep your peepers peeled for updates on your computer, smartphone and tablet. These are the only way you will become immune to this bug. This is not a computer virus, so your antivirus program can do nothing (make sure that’s up-to-date anyway, always. If it has an auto-update feature, use it. Don’t make me come over there…).
• As the late, great Douglas Adams wrote, Don’t Panic! If you haven’t been hit yet, and have no need to log into any of these sites, then just sit back and wait. The data can only be grabbed when you try to connect, so if you don’t connect, you’re safe. Waiting then gives those sites time to update their code.

Passwords

And if you do need to change your password? We all know we should have a different password for every site, but who actually does? Most of us probably have the name of a relative or pet with a number at the end, and that gets recycled on all the sites we visit. Unfortunately, if I can guess that, so can the naughty people. Here are a few tips that might help:

• If possible, use substitutions of numbers or symbols for letters (see the title of this post)
• Most password cracking tools use ‘brute force’ attacks and try thousands of options, mainly with words from the dictionary. Changing the spelling to something unusual is a good idea.
• Put a space or two (or three) in the password. A space isn’t in the dictionary (thanks for the tip, Dom T!).
• If you refuse to have to remember a different password for each site you visit, come up with a code or abbreviation for each site and put that at the front, end, or somewhere in the middle of your regular password. That way each password is now different but still easy to remember.
• Put in symbols that are infrequently used, such as §, ±, } and ~ (there are hundreds, have a play).

Hope this has helped. I’d like to leave you feeling all warm and fuzzy, but I’m not wearing my magic hat. Hopefully I leave you a little better informed, able to ask the right questions and look out for the right things. Any questions, just leave a comment and I’ll try to answer them as best I can.