Recovering from Heartbleed

Who would have thought that the very tool we all rely on to provide secure access to web sites OpenSSL has opened the door wide to one of the biggest security risks encountered to date? How frustrating to all IT professionals lie ourselves who followed best security practices.

There are complex conditions as to whether your data may or may not have been retrieved, and you should assume details like passwords may have been stolen, but a blind reset of everything could actually make it more likely that you lose your details. You need to reset passwords once a provider has patched.

If you are responsable for IT in your organization you will need to take the following steps:

  1. Check with all software vendors and find out if their software is vulnerable.
  2. Apply the patch(es) recommended by your venders.
  3. Generate a new certificate and a new key.
  4. Revoke the old certificate and key (important, many are forgetting this).
  5. Restart the service (don't leave the old secrets or versions loaded).
  6. Validate you are no longer vulnerable with the numerous test scripts available.
  7. Check all your servers and services, not just the most obvious candidates. Backup servers, hot stand by and others may still be vulnerable.
  8. Notify your users to change their passwords.

... and as long as you are changing passwords why not take a moment to implement better password security practice and help damage limitation in the future?  Here are a few rules of thumb:

  1. Avoid using the same password across multiple sites and services.
    That way, if Yahoo credentials are breached hackers won’t be able to jump across in to your Facebook, online banking, work accounts or alike.

  2. Choose a password which is not easy to guess.
    Words with a dictionary root followed by numerals are very common choices and predictable patterns that cyber criminals can use to crack your password very fast. Passwords should be long, phrase based and involve a balance of different types of characters – numbers, letters, capitols and ideally a few symbols.

  3. Set up password change/reset mechanisms properly – not obviously.
    Password reset forms on many services ask questions like "Where did you go to school?" or "In which year were you born?". These questions are easy to answer and can typically be mined from social media pages or the Internet — why would hackers guess your password if they can just tell a system where you went to school and how old you are. Come up with a scheme of answers to these questions that you won’t forget (or store securely) or better still, if the service allows, specify your own difficult questions.

  4. Longer is better!
    When passwords are stolen from providers they are typically in a hashed or encrypted form, a bit like this ’5f4dcc3b5aa765d61d8327deb882cf99′. This is a hashed password representation and using clever techniques and computing power attackers can reverse the original password and log in to your account. When they steal these hashes it is only a matter of time and effort until they reveal the original. Short passwords might be guessed in second to minutes or hours (it depends on the implementation), where very long passwords could take years of work (and the cyber criminals are likely to go after someone else). Therefore making your password 60 characters makes life much harder for the cyber criminals if they do manage to break in to a service like Yahoo.

  5. Use a password manager app.
    Password managers generate strong unique passwords for each of your services and then store them in an encrypted database which you can unlock with one  good master password. It is a reasonable compromise for those that do not have an amazing memory but don’t want to fall in to the pitfall of repeating similar passwords across multiple sites.

Sign Up To Our Newsletter