Protect against the Heartbleed bug: Brian Sierakowski of TeamPassword - Technical.ly Baltimore

Dev

Apr. 17, 2014 12:15 pm

Protect against the Heartbleed bug: Brian Sierakowski of TeamPassword

Roughly two-thirds of the Web is encrypted by OpenSSL, a technology that the world learned this month suffers from one major security gap: the Heartbleed bug, which is capable of stealing passwords and personal data.
This is a guest post from Brian Sierakowski, a cofounder of password-management tool TeamPassword, which allows users to securely store long, complex passwords.
Full disclosure: Technical.ly Baltimore staff are TeamPassword users.

Roughly two-thirds of the Web is encrypted by OpenSSL a technology that the world learned this month suffers from a major flaw nicknamed the Heartbleed bug.

When exploited, the Heartbleed bug enables a hacker to see sensitive data, like passwords and personal information, on the affected server. While many previously vulnerable websites such as Gmail, Dropbox and Facebook have since updated their services to protect from the Heartbleed bug, there is still a need for Internet users to protect themselves.

BrianSierakowski2

Brian Sierakowski.

Whenever a major security news story breaks it’s important, of course, to separate the hype from the threat. At this point it’s near impossible for the Heartbleed bug to live up to the level of hype, but that doesn’t diminish the threat.

Now that system administrators have patched their servers, there are a few ways you can improve your security.

Resetting Passwords

I’m sure you’ve received dozens of emails saying it’s a good idea to change your password, and it’s hard to say if changing all your passwords is overkill. With that said, no security professional would recommend against updating your passwords.

Advertisement

  • Immediately change the password on any site that sends you an e-mail. Then as you log into other services, make a habit of changing your passwords there too.
  • If you reuse the same password on many sites, stop. Update your password on every site you use that password on with a new, different password.
  • It helps a lot to have a password manager to keep track of your passwords in this process. If you’re managing your personal passwords, I’d recommend using the excellent 1Password. If you’re updating shared or business passwords, I’d recommend TeamPassword, a startup I cofounded.

Both solutions have random password generators. There’s no reason not to use a unique, complex password when you let your computer remember it for you.

Time-Based / Multi-Factor Authentication

Where possible, opt in to using two-factor authentication.

The Heartbleed bug made it possible to see a user’s username and password. Two-factor authentication (TFA) requires the attacker to also have access to your phone to log into your account.

  • TFA is a great idea on any service that has your payment information. If you remember the story of how Twitter handle @mat got hacked, or how Twitter handle @n was stolen, both could of been prevented with TFA enabled on seemingly harmless websites.
  • The same applies here. TFA throws in an extra piece of information. Even if a server leaks your six-digit code, it expires in 60 seconds and is useless.

Data Compromised?

In the follow-up e-mails you’ve seen since Heartbleed, it’s likely that they’ve said that there is no sign data has been grabbed by hackers. While this is true, it’s possible to exploit this bug to collect people’s personal information without leaving a trace. As such, it’s difficult for researchers to quantify how big of a problem Heartbleed has been.

  • On one hand, the attackers need a bit of luck — they’re taking a random segment of data out of the memory of an affected server. If that happened to contain your username and password, you were very unlucky.
  • The problem is that this bug has existed for several years, so a hacker who knew how to exploit Heartbleed to steal information could have done so many times. Each phishing trip they’ve taken into server data increases the odds that they get something useful.
  • The best course moving forward is constant vigilance. I would not recommend taking any service at their word that they were not compromised. I also wouldn’t jump to changing your bank account. This is where having a good understanding of what type of data you’re sending over Secure Sockets Layer (SSL) matters.

It can be hard to say what the best course of action is for you, so I’d like to offer to help. If you have any concerns or fears related to this security issue or others, please send me an e-mail and I’ll do everything I can to help get you back on track.

Projects: TeamPassword
-30-
BECOME A CONTRIBUTOR TO THE JOURNALISM FUND TO COMMENT
Already a contributor? Sign in here
Connect with companies from the Technical.ly community
New call-to-action

Advertisement

These Howard County cybersecurity companies formed a biz partnership

How DreamPort is creating space for collaboration on cyber challenges

Annapolis’ SIXGEN grabbed the win at DEFCON 27’s Capture the Flag

SPONSORED

Baltimore

Why two eminent Baltimore higher-ed institutions collaborated to create this unique dual degree program

Annapolis Junction, MD

Asymmetrik

FULL-STACK DEVELOPER

Apply Now

Annapolis Junction, MD

Asymmetrik

SOFTWARE ENGINEER

Apply Now

Annapolis Junction, MD

Asymmetrik

FRONT-END DEVELOPER

Apply Now

Power Moves: Leadership changes at CAMI and Maryland Momentum Fund

UMBC and UMB are joining forces to protect and probe medical data

clean.io releases data behind malicious ads

SPONSORED

Baltimore

What Asymmetrik is doing to help lead healthcare’s digital transformation

Baltimore

Protenus

DevOps Engineer

Apply Now

Philadelphia

Vistar Media

Sr. Software Engineer

Apply Now

Philadelphia

Vistar Media

Front End Engineer

Apply Now

Sign-up for daily news updates from Technical.ly Baltimore

Do NOT follow this link or you will be banned from the site!