10 Apr 2014

Heartbleed: why you should change passwords

This is about an obscure but vital piece of internet architecture call SSL, or Secure Sockets Layer. Despite the fact that it underpins much of the internet security you take for granted, for example, internet banking, you may not have heard of it. Perhaps news of a serious flaw in this system will encourage more people to get a grip on the technology that’s playing an increasingly pivotal role in our lives.


Here’s how it works, in layman’s terms: when you visit the website of your bank, email provider, or any service which requires a bit of secrecy, your computer opens up a private tunnel through which to send traffic back and forth, so that no-one can snoop on the information.

This tunnel is the Secure Socket Layer (SSL). You can tell when it’s active because, in most internet browsers, a padlock symbol will appear next to the website address. The keys to that tunnel are held by a third party, which means they can be accessed by both your computer and the website you’re accessing, be it your bank, email provider, or whoever.

OpenSSL is one of the main providers of those keys. Some earlier versions of their system have been found to be vulnerable to attack, nicknamed Heartbleed, meaning a hacker can get the keys to a user’s private tunnel, and hoover up the sensitive information passing through it, such as login names and passwords.

It’s bad news, and yes, changing passwords is a good idea. But there a few reasons to be level-headed. Firstly, it only affects earlier versions of OpenSSL, so companies who regularly update their software are safe.

Secondly, now that the vulnerability is known, companies are rapidly patching their systems to secure against it.

But here’s the odd thing about this story: generally when a hacker discovers a flaw like this, they sell it to one of the main cybercrime gangs, who abuse it as much as they can. At some point, news of its existence leaks out, at which point the wider criminal community start exploiting the vulnerability.

Eventually it gets into the hands of low-level operators, who post the hacked information on forums, tipping off law enforcement agencies and security firms who then start advising companies on how to plug the holes in their security.

What’s odd is that this OpenSSL problem has reportedly existed for two years, and has only just become public. That makes me think of two potential explanations: one, that the vulnerability was never discovered by the criminal community, in which case we’ve dodged a bullet. That the optimistic explanation.

Here’s the pessimistic one: the vulnerability was kept a carefully guarded secret by one cybercrime gang or group of gangs who’ve been systematically milking it for two years to hoover up gigabytes of sensitive traffic and perpetrate fraud and identity theft on an epic scale.

Regardless of whether you see the glass as half full or half empty, changing passwords is worth doing, and to be honest, it’s something you should probably do every six months or so anyway. It’s a pain, I know, but to quote Thomas Jefferson and others, “the price of freedom is eternal vigilance”.

A strong password includes upper and lower case letters and numbers, and should be unique to the account. Non-dictionary words are best: for example, take the first letter from each word in a line from your favourite song or book.

So for example, “Romeo Romeo wherefore art thou Romeo” would become ‘rrwatr’. Add a number that’s significant for you, perhaps the first ascent of Everest in 1953. That gives you ‘rrwatr1953’.

You also need to make a unique password for each site, which sounds like a hassle, but you can simply amend the same password, for example ‘BOOKrrwatr1953’ for Facebook, ‘TWEETrrwatr1953’ for Twitter, etc.

Follow @geoffwhite247 on Twitter



5 reader comments

  1. Chris Morris says:

    I take issue a bit with the phrase “generally when a hacker discovers a flaw like this, they sell it to one of the main cybercrime gangs”. This isn’t a generalization that should be made lightly. Hacking can be split into two, let’s say, moral tapestries. White hat hackers are hired to deliberately find weaknesses, so that the person(s) who commissioned them can find a way to fix it, and therefore make the system more secure. Black hat hackers are the opposite, they break into systems for nothing other than malicious intent. I just thought it would be useful to include such a distinction, since no doubt many white hat hackers are involved in ensuring the security of systems everywhere.

  2. Chris Kimpton says:

    Only change your password after the issue has been fixed per website… The problem is knowing which sites were affected and whether they have fixed the issue. You might change your password on site X but if they fix the issue afterwards, then your new password is compromised too. :(

  3. Terry G says:

    This article contains several inaccuracies that need to be addressed.

    “OpenSSL is one of the main providers of those keys. ”
    Open SSL is a protocol – not a provider

    “Firstly, it only affects earlier versions of OpenSSL, so companies who regularly update their software are safe”
    That’s not true. Simply patching the version of openssl isn’t enough. In this case, companies that didn’t update their software were protected from this vuln. It affected recent versions of openssl – *not* earlier ones.

    Then there’s a fanciful section on how security vulnerabilities are handled.

    And a part on good password practice. Which, while useful ,is utterly irrelevant to the issue.

    Changing your password is no defence to this vulnerability. It could, for obvious reasons, make matters worse.

  4. Al Chapman says:

    I’m afraid this statement is incorrect;
    “Firstly, it only affects earlier versions of OpenSSL, so companies who regularly update their software are safe.”

    The bug was a part of the OpenSSL software from early 2012 up to last Monday, 7th April.

    Ironcally, companies who are lax at updating their software may also be safe – from this particualr issue – as they may have never updated to the flawed version. Companies who regularly update could have been exposed to the security hole for a little more than two years.

    Change your passwords, keep them unique, and consider software like LastPass or KeePass if, like most of us, you’re bad at remembering three dozen random strings of 5 to 16 alphanumeric and symbol character strings.

  5. Michael says:

    It is reported that the NSA knew of this vulnerability soon after the flawed OpenSSL was released in 2012 but exploited it for it’s own use

Comments are closed.