A new Internet security threat reared its ugly head last week when computer experts discovered that software commonly used to encode sensitive data, such as passwords and credit card numbers, could be compromised. Called “Heartbleed” (derived from the word “heartbeat”), the threat is different from previous scares that applied to a particular operating system, program or task. Heartbleed potentially affects all who surf the Web.Rutgers Today asked Rebecca Wright, professor of computer science and director of the Center for Discrete Mathematics and Theoretical Computer Science (DIMACS), to explain Heartbleed and how Web users can protect themselves.
Rutgers Today: What is Heartbleed and how did it happen?
Wright: Heartbleed is a bug in software commonly used to encrypt sensitive data between Web servers and Web browsers. The bug allows anyone on the Internet to compromise secret keys that Web servers use to encrypt traffic, which allows attackers to eavesdrop on all communication between the Web server and its users – even communication that was encrypted and supposed to be private.
Rutgers Today: Who is affected?
Wright: The software, called OpenSSL, or Secure Sockets Layer, is widely used. Web sites that use or used the version of OpenSSL with the bug, and people who visited those sites before the bug was discovered and patched, are at risk and may have had their passwords compromised. In addition, if people use the same password on an affected site that they’ve used on non-affected sites, those passwords could have been learned as well.
Rutgers Today: Should we stop shopping and banking online?
Wright: This is a personal decision, and for most people the answer is probably no, as the convenience generally outweighs the risk. Most of the vulnerable sites are fixed or are working to fix the problem. This involves patching or changing the software they use and creating new server encryption keys.Rutgers Today: What do we need to do to protect ourselves?
Wright: At this point, it would be wise to change all of your passwords, especially on sites that used an affected version of OpenSSL . While Heartbleed is a particularly widespread vulnerability, it is not the first vulnerability nor will it be the last.
In general, people should practice good password hygiene. Choose strong passwords (longer passwords that have combinations of upper- and lower-case letters, numbers and special characters where allowed by the Web site), use different passwords at different sites, and change passwords regularly. This reduces the likelihood of a password compromise at any given site and ensures that a password compromised from one site is not useful at others.
Rutgers Today: Many people find that level of password management daunting. What do you think of companies that offer products or services to handle your passwords?
Wright: Password vaults and other apps make doing this feasible; in fact, it is difficult for most people to practice this level of password hygiene without such a tool. If you find yourself writing down passwords or frequently requesting password resets, you should consider one of these products. Some reside on your computer; others are online services. Some are free, others require a subscription. Typically they require you to enter a complex password, then they supply your individual passwords to the Web sites you log into.