Heartbleed Still Matters and We’re All Partly to Blame
Two months on, the Heartbleed vulnerability is still worth talking about. One thing that needs to be discussed is that you and I are partly to blame for the problems Heartbleed caused. But we can also talk about some common-sense ways we can help protect ourselves in the future.
In order to truly understand Heartbleed, let us first define what a vulnerability is, according to the Information Systems Audit and Control Association (ISACA). ISACA defines vulnerability as “a weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.” In people terms, it is essentially a weakness in some process that could lead to bad things happening. Follow? Great!
Next, what is Heartbleed? On April 7, a vulnerability was identified in some implementations of the Secure Sockets Layer (SSL) protocol, called OpenSSL. An SSL protocol establishes an encrypted link between a Web server and your Internet browser. Not only does SSL encrypt your online communications, protecting your username and password, but it also helps ensure that you are connecting to legitimate websites.
So why should you care about Heartbleed? First of all, the name alone is enough to strike fear into the hearts of luddites and technophiles alike. It’s terrifying, frankly. I shiver just typing the word, and I am clutching my chest as I write this. True story.
To the everyday Internet user, the Heartbleed vulnerability can allow a hacker to connect to a Web server and steal sensitive information, which may include your user ID and password. Hackers can then attempt to use that information to log into other accounts using the same user ID and password. Fortunately for you, you don’t use the Internet that often. Oh, you do? That’s OK; you have a secure and different user ID and password for each website you log into, right? No? Let’s revisit this a little later.
Stop leaving your keys in the door
Before I get to the advice, I would like to shed some light on the underlying cause of Heartbleed, past threats and the evolving threats to come concerning user ID and password theft.
Although everyone is talking about Heartbleed, no one is talking about the fact that we are really the problem. That’s right; you and I are the problem. How is that so? The average person, by nature, tends to use really weak passwords, because they’re top of mind and easy to remember. Think spouse, children, siblings, parents, birthdays, anniversary, favorite something or other. All of these are generally easily linked back to you via almost any online profile (e.g., Facebook).
Not only do we tend to use really weak passwords that can be easily linked back to us, but we tend to reuse them for all of our website accounts, along with the same user ID on those sites. When you consider all of that, Heartbleed isn’t the main problem. We, as users, are practically leaving our keys in the door for whoever wants to let themselves in.
In a study that analyzed the Yahoo Voices password database breach and the SonyPictures.com password database breach of June 2012, it was concluded that 59% of users reused the exact password for both sites.
Heartbleed is the latest buzz in the news, currently being claimed by many as the worst thing to happen to the Internet. But there were terrible things before, and there may very well be worse things to come. The cybercriminal is evolving at a pace that, unfortunately, is not matched by online securitymeasures. If there is a silver lining to Heartbleed, it’s that threats like these are good reminders of the importance of developing strong passwords and unique user IDs for each online platform you use.
4 steps to consider when creating passwords
Is your mind running through all of the websites you frequent and cringing at the number that have the same credentials? Do you have one or two bank accounts that share the same username as one of your social media platforms? Yeah, me neither. So now that you are going through doomsday scenarios in your head, you might be screaming at the computer, asking what you can do. Well, I can help you get started with some basic advice. One of the first things you could do is visit https://lastpass.com/heartbleed, and check to see if the websites you visit are vulnerable to Heartbleed. Some of the affected sites are more common than you may think (hint: Facebook and Gmail).
Next, create new passwords. Websites often ask us to create random, complicated passwords with special characters and lots of restrictions. Following are four steps you may want to consider in developing your passwords. Your goal should be to create passwords that are strong, easy to create and easy to remember.
1. For website passwords, you may want to use the first four or five letters of the website to start the password, with one of the letters capitalized.
For example:
| Website | Password |
|---|---|
| www.amazon.com | Amaz or aMaz |
| www.creditcard.com | crEdit or creDit |
2. For added security, add the @ or other preferred symbol and a number to the first letters of the website.
For example:
| Website | Password |
|---|---|
| www.amazon.com | Amaz@1 or aMaz&2 |
| www.creditcard.com | crEdit$3 or creDit%4 |
3. Pick a phrase that is easy for you to remember but that no one else will be able to attribute to you. Use the first letter of each phrase to form an abbreviation.
For example:
| Passphrase | Password Abbreviation |
|---|---|
| “I read computerworld.com every single day” | ircesd |
| “I’m just living the dream” | ijltd |
4. Add the passphrase to the first letters of the website, the symbol and number.
For example:
| Website | Password |
|---|---|
| www.amazon.com | Amaz@1ircesd or aMaz&2ircesd |
| www.creditcard.com | crEdit$3ijltd or creDit%4ijltd |
Of course, you could also make the passphrase appropriate to the site, to make it easier to remember. For Amazon, for example, you might choose, “I love buying stuff online,” abbreviated as “ilbso.” It’s associated in your mind with that website, but it won’t be something that anyone else is likely to guess.
The four steps above or some variation of these suggestions can help you develop stronger passwords that are easy to create and remember. In general, consider creating passwords that:
- Contain at least one letter.
- Contain at least one capital and one lowercase letter.
- Contain at least one number or punctuation mark.
- Contain at least one symbol.
- Are at least eight characters long (the longer, the better).
You might want to consider using a password manager that stores all of your passwords securely. These are great tools that not only can simplify your online activities, but can also add a much higher level of security.
One final word of caution: Be wary of phishing attacks using Heartbleed as bait! ISACA defines phishing as a “type of electronic mail (e-mail) attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering.” Due to the high level of awareness in the community about Heartbleed, phishing attacks using this topic as the hook are on the rise. The same could be said about the previous or next highly publicized topic. If you don’t know the sender, or if you do know the sender but the email is uncommon for them, exercise caution.
So, there you have it! The big, bad Heartbleed bug exposed for what it is — nothing but a flaw in the system, a weakness in the design of the process. A chain in the link of what has come and what is likely to come again. With the practice of a little common sense, precaution and diversity in your passwords, you can rest easier knowing that you have an extra layer of protection from Heartbleed and its successors.
_____
Richard Salinas, CPA, is a senior consultant in Kaufman Rossin’s Business Consulting Services practice. Richard can be reached at rsalinas@kaufmanrossin.com.
Richard Salinas is a Management Chief Operations Officer at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.
