A few weeks ago, the internet lit up with stories about the Heartbleed Security Flaw. Many people misrepresented it as some sort of virus, but that’s not what it was at all. Essentially Heartbleed was a flaw in a very widely used open source application, OpenSSL. It is estimated that more than 500,000 web sites were using the vulnerable version of the application at the time the flaw was made public. These are big sites too – pretty much any eCommerce site you use regularly, or any site you log into securely was likely using the software.
The bottom line of the flaw was that it allowed malicious attackers to access the memory of affected servers. What is stored in this memory? Just little things like usernames, passwords, credit card information – exactly the things you struggle to protect. The other scary part was that attackers could actually capture the digital keys used to encrypt this data and store it securely. Talk about the keys to the castle!
The fix was pretty simple, it just required a quick patch to the vulnerable software. The problem however was that there was and is no way of knowing what servers were compromised and what data was stolen. The exploit left absolutely no traces. Plus, if you panicked and changed your account information before the patch was applied, your new account information was just as vulnerable as the old.
So what can we learn from this and what can we do about it? Well, the first thing you need is a strong password. And I mean a different, really strong one for every site you access. Ideally, you should use some sort of a password management tool, and a random password generated for each site you log into. A program like LastPass offers a great solution for this. LastPass is a free tool you install onto your computer. When you create a new password, it will randomly create a very complex password for you, and then store it. Then it will autofill it whenever you return to the site. LastPass is then protected by one master password you select (make it very, very complex), and it will follow you from machine to machine, wherever you install the software and log in. The benefits of having different, complex passwords across all your sites is immeasurable. As an added bonus, LastPass proactively tested all your stored websites and alerted you if any of them were vulnerable to Heartbleed and needed to be updated.
The next thing you need to embrace is two-factor authentication. There are a couple of ways websites are doing that these days. First is the traditional method. I use an online wallet called Coinbase to store my bitcoins. Anytime I try to login, I enter a username and password. I then get a text message from the site with a one-time use code. I need to enter that code to log into the site. Someone would need not only my username and password, but also my cell phone to break into my account.
Another creative way some websites are embracing two-factor authentication is by only allowing you to login from known computers. My bank does this. If I get a new computer and try to log into my account, I will get a message that I’m accessing from an unknown machine. I will then get the same one-time use login code in the previous example, and once I enter the code, I am allowed to login. I also have the option of remember that computer (if it’s mine), or not (if it’s public). This approach pretty much eliminates someone from accessing your account with stolen credentials, from a computer you don’t use.
I will no longer do business with a company that does not embrace one of these protocols, if it means storing and protecting highly sensitive data. It’s time to get educated and understand the risks associated with protecting important data, both inside the enterprise and in your day-to-day life. I have said it many times and will continue to beat the drum – simple, insecure passwords used at every site you access are a recipe for disaster. You are literally asking to have your credit cards, banking information or your identity stolen. These crimes are becoming increasingly difficult to stop – don’t make it any easier than it needs to be!
I will no longer do business with a company that does not embrace one of these protocols, if it means storing and protecting highly sensitive data. It’s time to get educated and understand the risks associated with protecting important data, both inside the enterprise and in your day-to-day life. I have said it many times and will continue to beat the drum – simple, insecure passwords used at every site you access are a recipe for disaster. You are literally asking to have your credit cards, banking information or your identity stolen. These crimes are becoming increasingly difficult to stop – don’t make it any easier than it needs to be!
