Heartbleed. It’s going to go down in history as one of the worst bugs ever. Heartbleed could give hackers access to user passwords and even trick people into using fake versions of popular Web sites.
Security engineers at Codenomicon who found the bug are reporting that the vulnerability is in the OpenSSL cryptographic library. The weakness, they said, steals information typically protected by the SSL/TLS encryption used to secure the Internet.
But is changing all your passwords the right response? According to independent security analyst Graham Cluley, it’s not always the best move.
“The danger is that if you change your passwords before a Web site has been fixed, you might actually be exposing your credentials to greater risk of being snarfled up by people exploiting the vulnerability in the buggy versions of OpenSSL,” he wrote in a blog post. “Don’t forget -- there are an awful lot more people now testing to see how well the vulnerability can be exploited now that details are public. Sadly, mainstream media are proving to be a little guilty of parroting the advice of the likes of Tumblr.”
Back to Online Identity Basics
We caught up with Matt Willems, a labs engineer at security software firm LogRhythm, to get his take on the password issue. He told us, first of all, that Heartbleed allows attackers to see a portion of the contents of memory of the vulnerable server.
“This may be garbage or useless data, but it could be usernames and passwords of users and administrators or other sensitive data,” Willems said. “This particular vulnerability still exists in many locations, so changing your password may just mean that the new password is vulnerable.”
As Willems sees it, the strongest advice is to follow normal best practices for online identity information. That, he said, means changing your passwords regularly and if an online service says your information may be at risk, follow their directions.
“Service providers and anyone using OpenSSL should immediately upgrade to OpenSSL 1.0.1g. Both open source and commercial software have seen these types of vulnerabilities in the past and will continue to in the future,” Willems said. “One of the big differences is that open source software vulnerabilities tend to be discovered by a community and quickly patched while commercial software vulnerabilities are often patched behind the scenes.”
A Recipe for Disaster
We also turned to Mike Gross, global risk strategy director at IT security firm 41st Parameter, to see where he stands on the password change issue. He told us the solution is not a simple silver bullet fix or inconvenient password reset that will undoubtedly generate its own set of customer service costs and issues.
“Top global sites should be extra vigilant for an expected rush of fraud-staging activities and social engineering attempts through call centers as fraudsters take advantage of an elevated volume of password resets to fit into the 'noise of the crowd,'" Gross said. “The answer is additional layered security through a continuously refined set of 'locks' that immediately identify fraudulent access attempts, so organizations can protect their invaluable customer relationships.”
From Gross’ perspective, device intelligence coupled with a powerful risk engine is one critical component of this layered approach -- and it's already in place at several of the top global banks, e-commerce merchants, and airlines to help defend against exactly this type of widespread vulnerability.
“With the abundance of compromised data from recent breaches,” he concluded, “relying solely on usernames and passwords, accurate identity information, and basic step-up authentication to protect consumers at login or the point of transaction is a recipe for disaster without visibility into attacks across the entire online estate.”