Managing risk from cyber attacks
This article describes how individuals and organizations can reduce their exposure to cyber attacks, based, e.g., on problems such as the Heartbleed bug.
The Heartbleed bug is a vulnerability in widely used cryptography. It allows attackers to read memory of many devices. A description of the bug is available on Wikipedia. This article on Wikiversity is being developed to help people determine their vulnerability and make informed decisions about what steps they should take to protect themselves. This discussion is here, because Wikiversity's mission is to distribute training materials and support collaborative research, both of which are officially disallowed on Wikipedia.
First and foremost, do not log into a web site without first evaluating your risks. For Heartbleed, John Miller, security research manager for TrustWave, advised people to avoid logging into a site without first confirming that the site does not have the Heartbleed bug.[1]
Several free services are available to determine if a particular web site is running software containing the Heartbleed bug. Qualys SSL Labs' SSL Server Test is particularly good, because it looks for the Heartbleed bug and several other vulnerabilities simultaneously. You can use their results to encourage services you use to improve their security.
Other web sites with tests for vulnerability are listed on the Wikipedia article on Heartbleed. On April 11, 2014, the test provided by Filippo Valsorda[2] reported "something went wrong" with the wet sites of four financial services organizations and and "seems fixed or unaffected for another two. Retesting on April 13 with Qualys SSL Labs' SSL Server Test provided more information on all sites tested.
What to worry about
editTypical advice on "How to protect youself from Heartbleed" is to change all your passwords.[3] However, this can be a huge task for many people who have used the Internet for years and created accounts with many web sites that they may not have visited in years. Moreover, this may not be necessary for services rarely used that do not involve clear financial risks. You should worry about the following:
- Any financial institution (e.g., bank, credit union, investment service) to which you have access via a PIN or password
- Any organization to which you've authorized an Electronic fund transfer (ETF) with a variable amount.
- Any organization that has a debit card number belonging to you. Credit cards are less worrisome at least in the US, because US credit card law gives consumers more rights to contest questionable charges than are granted to owners of debit cards.
- Local area networks (LANs) including Wi-Fis are built from hardware such as routers including wireless routers, whose firmware may contain the Heartbleed bug.[4]
- Other services such as Facebook that you want to protect against a possible attack using login stolen credential belonging to you. The Wikimedia Foundation asked all their users to change their passwords.[5]
- Other financial services you have but which you do not recall having established any PIN, password or ETF capabilities: Some people may have established electronics procedures with financial institutions and made deposits but not withdrawals. You may not be vulnerable. However, if there is any doubt, it is wise to check.
The first step to protecting yourself is to make a list of the major vulnerabilities. Then make a guess about the financial value of the losses you might suffer from an undetected attack. Then sort the list, and make a plan to evaluate any actions you might want to take, focusing on the largest vulnerabilities first. For example, some people have savings and investments exceeding any checking account(s) they might have. If they've established ETF procedures that support variable withdrawals, those might need to be addressed first.
Assessing the risk of a provider
editChanging passwords may be worse than useless with an organization whose computers are actively being monitored by cyber thieves: You may give them your new password AND encourage them to extract what they can immediately with that new information.
Therefore, before accessing a web site about which you have concerns, try Qualys SSL Labs' Qualys SSL Labs' SSL Server Test mentioned above and / or some other test such as those listed in the "Vulnerability testing services" section of the Wikipedia Heartbleed article. If problems are identified, share them with the services you use, and ask for their reactions. Discontinuing use of sites identified with deficiencies if feasible.
LANs including Wi-Fis and routers
editAny LAN or Wi-Fi could be vulnerable. Evaluating and fixing this could entail the following:[6]
- If it's a public Wi-Fi, avoid it if at all possible.
- Turn off "remote access" on routers except where needed: Nearly all routers include the capability for "remote access" to the router. This allows someone to reconfigure a router from anyplace else in the Internet. Turning this off means that any reconfiguration can only be done from a computer with the router directly connected to it; it will not change other aspects of your use of the Internet. If your need for security exceeds your need for someone to reconfigure your LAN from outside (which seems likely), then you would be wise to study the documentation on the routers you have and turn off remote access.[6]
- If you have equipment provided by your Internet service provider (ISP), ask them if that hardware might include the Heartbleed bug. If so, work with them until it is fixed.
- A LAN may also include other equipment. If so, check the firmware on each piece of hardware in the LAN. If it is dated before December 31, 2011, it will not contain the Heartbleed bug. If it's more recent, it could. Even if the firmware was released after April 2014, it could still contain the older Heartbleed code.
- Check with the manufacturer to see if the the firmware you have contains this bug.
- If the firmware you have may be impacted, check with the manufacturer for a firmware update. If they don't have it when you check, keep checking back every few days until they do. Then download and install the updated firmware per the manufacturer's instructions.
Changing passwords
editFor web sites that were previously vulnerable, it may be wise to change a password twice in quick succession, logging out then in again between the two changes. Reportedly, cyber thieves can use your old password to watch you establish a new password. To capture the second change, they would also have to log out and log back in again with you using the transitional password to catch your real new password; it's still possible but less likely.[7]
All passwords for financial services should be unique and very secure. For a secure password, experts recommend at least 8 characters, being a combination of upper and lower case letters plus digits and special characters. Avoid common words, names and birthdays.[8]
Those can often be easily guessed, especially if some of the information in available on social media. One good method for creating a strong password is to develop a passphrase that you can easily remember, then take the first character of each letter, possibly changing a few letters to numbers and adding special characters.
References
edit- ↑ Nieva, Richard (April 8, 2014), "How to protect yourself from the 'Heartbleed' bug", CNET News, CNET, retrieved 2014-04-11
- ↑ Valsorda, Filippo, Heartbleed test, filippo.io, retrieved 2014-04-11
- ↑ e.g., "How to protect yourself from the "Heartbleed" security bug", CBS News, April 9, 2014, retrieved 2014-04-11
- ↑ Kleinman, Alexis (2014-04-11), "The Heartbleed Bug Goes Even Deeper Than We Realized -- Here's What You Should Do", The Huffington Post, retrieved 2014-04-12
- ↑ Grossmeier, Greg (April 8, 2014). "[Wikitech-l] Fwd: Security precaution - Resetting all user sessions today". Wikimedia Foundation. Retrieved April 9, 2014.
- ↑ 6.0 6.1 Kleinman, Alexis (2014-04-11), "The Heartbleed Bug Goes Even Deeper Than We Realized -- Here's What You Should Do", The Huffington Post, retrieved 2014-04-12
- ↑ Wood, Molly (April 9, 2014), "Flaw Calls for Altering Passwords, Experts Say", New York Times, retrieved 2014-04-11
- ↑ Ngak, Chenda (January 21, 2014), The 25 most common passwords of 2013, CBS News, retrieved 2014-04-11