Heartbleed Followup

It’s been a little over a month since the Hearbleed bug was revealed. In case you missed it, I wrote an article telling you what you needed to know regarding your website and your Banyan Theory account login — mainly that they were not affected.

Now that the dust has settled, I’d like to explain how the bug works and how important it is that you change your passwords on other sites that were affected.

How Heartbleed Works

Let’s take a look at how the Heartbleed bug works. I say “works” and not “worked”, because there are still several hundred thousand web servers that have not yet been patched and are still vulnerable, and which are almost certainly being hacked right this very minute.

To put the bug in real-world terms, where computers play no role, let’s run through a simple scenario. It’s admittedly a bit contrived, but it demonstrates both the simplicity and the seriousness of the vulnerability:

You step up to the counter at your bank to make a deposit. You give the teller your five-digit account number, and she writes it down on a dry-erase whiteboard (which you can’t see) behind the counter. As she writes, she erases some things to make room. (Presumably the teller is erasing account numbers from the people who were in line before you.)

Before you deposit your money, you ask the teller to read your 5-digit account number back to you to ensure she wrote it down correctly. The teller obligingly reads back the previous 5 digits that she had written. They’re right, so you deposit your money and leave.

It probably won’t be clear to you yet, but a real-world version of the Heartbleed vulnerability is present in this simple scenario. There are two key elements:

1. the whiteboard containing previous account numbers, and
2. that the teller read your account number back to you from the whiteboard, trusting that your account number really is five digits (not all account numbers at this bank are the same length).

Now, let’s see how the vulnerability in our scenario can be exploited by a malicious person.

After you leave, the next man in line does the same as you – reads his 5-digit account number to the teller and asks her to read it back to him. But unlike you, he lies and tells her that his account number is 10 digits, not 5. The teller trusts the man and reads back the previous 10 digits she wrote.

And there it is. Because of the misplaced trust on the part of the teller, five of the ten digits she reads back to this person are your entire account number. And because of how it happened, nobody at the bank knows or even suspects something just went horribly wrong.

Real-World Implications

Unfortunately, Heartbleed is much more serious than just a bank teller reading back a few extra numbers. In fact, imagine the man in line behind you gave the teller a five-digit account number, then asked her to read it back to him, “reminding” her that his account number is 65,536 digits long. That’s right – account numbers from potentially thousands of accountholders.

Of course a real-world human teller would know that was a ridiculous request, but computers only know what they’re programmed to know, and things like SSL are general-purpose, having no knowledge of how they’re being used. For example, while a 65,000-digit bank account number is obviously not right, 65,000-characters of text isn’t all that much – only about 40 pages of the first Harry Potter book (not even enough to find out where Harry’s Hogwarts letters are coming from). The point is, SSL doesn’t and can’t know when something is “too long” for a particular purpose.

OK, How Does This Affect Me?

In the bank scenario, the vulnerability affects you if you have been to the bank in the past two years and your bank’s tellers were too trusting (i.e., the bank was vulnerable to the Heartbleed bug).

In the real world, if you logged in to any online service in the last two years, and that service was vulnerable to Heartbleed, then it’s possible your information was leaked. This includes not just the information you sent (like your username and password), but also anything the computer “thought” about while you were logged in (like your account balance).

In our bank scenario, the teller might have written down your account balance after looking it up so that she could reference it while processing your transaction. That balance, along with your account number, would have then been given to the man in line behind you (when he claimed to have a very long account number). This is how “secret” information (that the teller had but never discussed with you) can be leaked.

This is why it is crucial that you change the passwords for all of your online accounts where anything sensitive is stored. Certainly any account with access to your money or credit fits this qualification.

There are two caveats to this: (1) you only need to change your passwords for services that were vulnerable, and (2) you should only change your password on a particular site after verifying that site is no longer vulnerable to Heartbleed.

How Do I Know If a Service *Is* Vulnerable?

Here at Banyan Theory we use 1Password to store our passwords. As a response to Heartbleed, the software got a new feature called Watchtower that tells which passwords need to be changed.

Watchtower is currently only available for the Mac version of 1Password, but the company behind it says it’s coming to the Windows version soon.

How Do I Know If a Service *Was* Vulnerable?

The best way to know whether a service was vulnerable is to find out from them directly. Many of them posted to their blogs, to Facebook, and to Twitter, to let people know whether or not they were affected by Heartbleed. If they were, they will most likely by now have posted followup notices to inform you that they have patched their servers and are no longer vulnerable.

Bottom Line, What Should I Do?

By now, it’s almost certain that any financial website has fixed things on their end if they were vulnerable. Check their blog or Facebook/Twitter feeds for any announcements, and then change your passwords if necessary.