This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Subscribe
Jean-Yves Gilg

Editor, Solicitors Journal

My heart bleeds for you

News
Share:
My heart bleeds for you

By

The real danger of all these virus scares is that if we are not affected, and most of us haven't been, we continue not to take internet security seriously, says Mick Jones

When did you first hear about Heartbleed? I got the news a day before the BBC, from somebody I work with whose son is a programmer in the US. He advised his mother to avoid making payments online, wait a week then change all passwords.

This registered with me the next morning when it was mentioned on the breakfast news. I didn't wait a week. I changed my Ocado password but not my Amazon one. Hedging my bets maybe? Perhaps I think groceries are a greater risk than books. This wasn't sensible.

So what is it? What have you done about it and is it a sign of things to come? Well, first, it's potentially pretty bad. Heartbleed is a bug in an open-source library widely used on the internet. The problem seems to be in the secure sockets layer (SSL), a cryptographic protocol, which is designed to provide communication security online. Full details are available on the bug's own website. The problem stems from a programmer's error.

How at risk are you? If you are connecting to sites that are still using the vulnerable version of SSL then data you exchange with such sites may be compromised. Now the vulnerability is public, there is the risk that people may attempt to exploit that vulnerability on sites that have not yet applied the fix.

There is no point changing your passwords until the fix has been applied. Check the main sites you use to see if they are either not affected or have applied a fix. It would be sensible to change passwords now and again in a month. If you're a regular user of public Wi-Fi, the risk is increased but if you're using your home computer on your own connection, the risk is minimised quite a bit.

Also, consider if you make use of critical sites - critical to you, that is - from workplace computers. Many offices allow staff internet access, and if your workplace is anything like mine, lunchtime is a frenzy of shopping. However, ensure that your workplace network is secure.

Mum's the word

There was considerable press coverage that the Mumsnet website was hacked. Reports stressed that the biggest fear was those who use the same password for Mumsnet as they do for important websites, such as their banks, meaning cybercriminals may be able to hack those accounts. So, use unique passwords on each site and change your password on a regular basis. It's tedious but necessary.

So which sites were vulnerable and which ones have implemented a fix? LinkedIn and Amazon claim not to have been affected. A quick check also tells me that Ocado.com is either fixed or has not felt the impact. Given my concerns mentioned above, though, I will change both passwords again.

There will always be vulnerabilities that are discovered on a regular basis. The common vulnerability exposure (CVE) system registers Heartbleed as CVE-2014-0160. The CVE system is maintained by the Mitre Organisation, a not-for-profit organisation that operates research and development centres sponsored by the US federal government. The system aims to allow for sharing software vulnerability information using a standardised format. The idea is that by encouraging information-sharing about vulnerabilities, it will enable fixes to be achieved as quickly as possible.

Microsoft has released a temporary workaround tool for a newly discovered zero-day flaw in Internet Explorer, which has been spotted being abused in at least two targeted attack campaigns. Zero-day attacks occur during the vulnerability window that exists in the time between when vulnerability is first exploited and when software developers start to develop and publish a counter to that threat. This particular problem affects IE10 but do check for regular updates.

If the Heartbleed scare tells us anything, it is that we need to be more password-aware. The more sites we visit, the more we need. Remembering the right password for the right site can be daunting if not impossible.

There are products out there to help you do this or you can just set up a spreadsheet with all your passwords on, but remember to back it up and to password-protect it.

Mick Jones is managing director of thewealthworks

He writes a regular blog about technology for Private Client Adviser