Heartbleed Bug: “The Potential Impact is Pretty Nasty,” Says PasswordBox Expert, But Here’s How You Can Be Safe

hb

The notorious Heartbleed bug that can potentially compromise a lot of people’s personal information has been been exposed for 36 hours, but it seems everyone has been talking about the security flaw for the past day.

We just got off the phone with PasswordBox‘s chief security officer (and a former CTO at Telus), Richard Reiner. While the “potential impact of the issue is pretty nasty”, potentially leading to “the disclosure of all sorts of things that individuals and businesses don’t want disclosed,” the CSO did reveal what ordinary Internet folk can do to protect themselves.

First, a little about the Heartbleed bug: on Monday researchers revealed a security flaw in OpenSSL, the open-source encryption standard used by the majority of sites on the web that need to transmit data users want to keep secure. OpenSSL gives users a “secure line” with the person they’re communicating with, whether it be via email or chat.

From Business Insider, “Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, so it will send out what’s known as a heartbeat, a small packet of data that asks for a response.

Because of a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end of a connection into sending over data stored in its memory.”

So, the flaw was first reported the team at OpenSSL a few months ago, then an independent security firm confirmed the bug. The bug has been in the code for about two years.

OpenSSL is part of the fundamental security structure of the Internet, used in “more or less any product you can think of that has a security aspect,” said Reiner. “It’s the go-to cryptolibrary and as a result, when there is a fault found in it, and this is a big one, nearly everyone is exposed and is scrambling around the fix that.”

The situation is indeed dreary at the present moment: web servers keep tons of information in their memory, including user names, passwords, content and even credit card numbers. “But worse even than that, the flaw has made it possible for hackers to steal encryption keys, the codes used to turn gibberish encrypted data into readable information,” wrote Business Insider.

Ok, so what can I do about it?

“If someone was in a cautious mood they might want to to go around and change some of their passwords, as many ecommerce owners and website owners are changing the cryptographic keys that they use in their SSL certificates, they’re refreshing the certificates with new keys because its possible that those were exposed,” Reiner told BetaKit.

“I think its reasonable for a site owner to do that because the impact of one of those sites being exposed is across millions of individuals, even if there’s no hard evidence it was being exploited. If you’re responsible for hundreds of millions of people, you might want to just take the hour out of your day and do that. For individuals it’s not bad advice to say that people should change some of their passwords.”

pbox

Were PasswordBox users affected?

Reiner works for PasswordBox, a one-stop tool that works across all devices, that gives users one “master password” that they use to sign on, for easy access to any sites they use. It uses extremely hardcore encryption techniques so that all of a users’ passwords are safe.

Reiner said the startup was “very pleased with how our systems performed.”

“We were not at any time vulnerable to this issue, unlike more or less everybody out there,  and we are big believers in a multiple layer of built-in suspenders approach to security. We don’t believe in allowing there to be single points of failure when it comes to security, and there’s no one component that we’re relying on no matter how widely used it is and how trusted it may be, because cases like this happen.”

He added that this kind of situation does arise regularly, as a lot of the security infrastructure of the Inetnet is rather fragile. “We think we make a contribution to strengthening that.”

Joseph Czikk

Joseph Czikk

Joseph Czikk is Managing Editor at Betakit. Prior to Betakit Joseph wrote for the National Post, Montreal Gazette, Vancouver Sun, Regina Leader Post, Techvibes and BC Business Online. Joseph often goes crazy on twitter during NHL and NFL games.