News broke yesterday morning, April 9, 2014, about a software security issue affecting many servers on the internet — servers that billions of people routinely log into using username/password credentials. This has already been described as “the worst breach of internet security ever.”
This blog post is intended to help Oakley Studio clients understand the security issues involved, and makes specific recommendations about how to protect usernames and passwords.
The affected software is “OpenSSL,” specifically version 1.01. This software is used on web and email servers as well as on some other computers and devices such as smart phones that use network connections to communicate with servers over the internet.
Based on the software’s release history, this vulnerability has existed for approximately two years.
OpenSSL on a server is responsible for establishing a secure encrypted connection with other computers, and quite often a request for username and password is part of the “handshake” that happens once the encrypted connection is set up. Your username and password is supposed to be protected because it is being sent over that encrypted connection.
The vulnerability that was discovered this week could potentially be exploited by “snooping” software designed to capture data passing along any part of the internet connection between a computer and server. Normally that would not be a security issue, because the connection is encrypted… But apparently there is a way to request additional information about the connection itself, including requests for usernames and passwords, and the private keys used by the server to perform the encryption.
Oakley Studio Web/Email Server – NOT VULNERABLE
Oakley Studio, LLC is in the business of operating a web & email server on which client web sites are hosted. Some of the services we provide — including email, webmail, traffic reports, ecommerce, web site file access, secure FTP, and our proprietary “OS Control Desk“ and “OS Secure Ecommerce“ services — use OpenSSL for encrypting the connections to the server and protecting usernames and passwords.
Our server is an Apple Macintosh Server, running up-to-date server software. Fortunately, Apple uses a version of OpenSSL in their Mac OS operating system that does not contain this security vulnerability. The version of OpenSSL used by Apple (v0.9.8y) is actually an earlier branch of the OpenSSL software development from July 2005, and has almost certainly undergone further modifications by Apple.
Mac computer users should not worry that their Macs contain this OpenSSL vulnerability — they do not. But there may be other causes for concern.
Password Reset Guidelines
If you’ve been using a username/password to log in to any of the Oakley Studio services (mentioned above) AND you use that same username/password for secure logins elsewhere on the internet, then your credentials may still have been compromised, which potentially puts your Oakley Studio secure service logins at risk. In our view, this risk is minimal. However the prudent thing to do would be to choose a new password for your Oakley Studio logins, and NOT use the same credentials anywhere else.
If you have been using the same password for years, it’s a good idea to change it anyway.
At this time, Oakley Studio does not have web-based “password reset” automation in place for creating a new password without webmaster assistance. (We did some development work in this area several years ago, but deemed it too disruptive to implement at the time. Under the circumstances, we may be moving that project off the backburner.)
Oakley Studio has a small clientele. We will be handling password resets personally on an individual basis — so you can look forward to a call from your webmaster within the next few days. We request that you have a new password ready. Do not email your new password!
Here are some guidelines for devising a secure password. Remember, passwords are case-sensitive.
First, here’s what NOT to do:
- • Do not use words in your password that can be found in a dictionary.
- • Do not use your own name or your username as a password.
- • Do not use names of other family members as easy-to-remember passwords. Names of family pets probably should not be used either.
- • Do not use simple keyboard sequences like “12345” or “qwerty.”
For strong passwords:
- • Use no less than 8 characters. More is better.
- • Use both upper- and lower-case characters in your password. (Upper-case letters can be anywhere in the password, not only at the beginning.)
- • Use at least one number in your password. More is better
- • Use at least one non-alphanumeric character. ( ! # $ % _ – + : ? )
Vulnerable Sites/Servers on the Internet
Many major sites online are affected by this OpenSSL vulnerability, including yahoo.com, gmail.com, flickr.com, fool.com, squidoo.com, dreamstime.com, and thousands more. A page at open software developer site github.com appears to have the most complete list of vulnerable sites. You can use your browser’s “Find” command on the page to search for sites you regularly log into.
There is also now a site where you can check your own domain name (or any other domain names) to see if they are vulnerable.
From Mashable: a list of Social Networks, Email, Stores and Ecommerce, Banks and Brokerages.
If you have logins at any of the vulnerable sites, seek their guidance as to when/if/how you should proceed with password resets. Check to see if the company has posted any information regarding their response to “Heartbleed” or “CVE-2014-0160”. This could be via a blog entry, news feed, email distribution, or other means of user contact.
On Your Smart Phone
Do you own an iPhone or other “smart phone” that uses “apps” to connect to servers on the internet? Those apps and passwords may also be at risk. Think about every app on your phone — does it need a password before you can use it? Is it connecting to the internet? Developers of at-risk apps will need to issue updated versions. Be proactive — visit their web sites and see what they say.
What About WordPress?
Oakley Studio clients with WordPress blogging web sites are NOT at risk. WordPress does not use OpenSSL. WordPress login credentials are protected in transit by other means. It’s worth noting that connections to your WordPress Dashboard are not encrypted. But aside from your login credentials (which are encrypted prior to transmittal), there is little need for encryption since nearly everything you type is intended to be published. Users of the WordPress eShop plug-in for ecommerce need not worry either: all credit card transactions are handled by PayPal on their own web site, not on your blog, and PayPal is not vulnerable.
That said, you should not be logging in to your WordPress site with a username/password that you use anywhere else, for reasons already described above.
Links to More Info
From The Unofficial Apple Weblog (TUAW): Why the OpenSSL Heartbleed bug doesn’t affect OS X or OS X Server
From Tech Crunch: Heartbleed, The First Security Bug With A Cool Logo
And Why is it called Heartbleed anyway?