My Heartbleed learning experience and alternative to poor quality Heartbleed instructions.

Due to the difficulty of find­ing high-qual­ity Heart­bleed in­struc­tions, I have dis­cov­ered that perfectly good, in­tel­li­gent ra­tio­nal­ists ei­ther didn’t do all that was needed and ended up with a false sense of se­cu­rity or did things that in­creased their risk with­out re­al­iz­ing it and needed to take some ad­di­tional steps. Part of the prob­lem is that or­ga­ni­za­tions who write for end users do not spe­cial­ize in com­puter se­cu­rity and vice versa, so many of the Heart­bleed in­struc­tions for end users had is­sues. The is­sues range from con­flict­ing and con­fus­ing in­for­ma­tion to out­right ridicu­lous hype. As an IT per­son and a ra­tio­nal­ist, I knew bet­ter than to jump to the propos­ing solu­tions phase be­fore re­search­ing [1]. Rec­og­niz­ing the need for well thought out Heart­bleed in­struc­tions, I spent 10-15 hours sort­ing through the chaos to cre­ate more com­pre­hen­sive Heart­bleed in­struc­tions. I’m not a se­cu­rity ex­pert, but as an IT per­son who has read about com­puter se­cu­rity out of a de­sire for pro­fes­sional im­prove­ment and also due to cu­ri­os­ity and is fa­mil­iar with var­i­ous re­search is­sues, cog­ni­tive bi­ases, log­i­cal fal­la­cies, etc, I am not clue­less ei­ther. In light of this be­ing a ma­jor event that some sources are call­ing one of the worst se­cu­rity prob­lems ever to hap­pen on the In­ter­net [2], that has been proven to be more than a the­o­ret­i­cal risk (Four peo­ple hacked the keys to the cas­tle out of Cloud­flare’s challenge in just one day.) [3], that has been badly ex­ploited (900 Cana­dian so­cial in­surance num­bers were leaked to­day. [4]), and some ev­i­dence ex­ists that it may have been used for spy­ing for a long time (EFF found ev­i­dence of some­one spy­ing on IRC con­ver­sa­tions. [5]), I think it’s im­por­tant to share my com­pila­tion of Heart­bleed in­struc­tions just so that a bet­ter list of in­struc­tions is out there. More im­por­tantly, this dis­aster is a very rare ra­tio­nal­ity learn­ing op­por­tu­nity: re­flect­ing on our be­hav­ior and com­par­ing it with what we re­al­ize we should have done af­ter be­com­ing more in­formed may help us see patches of ir­ra­tional­ity that could harm us dur­ing fu­ture dis­asters. For that rea­son, I did some ra­tio­nal­ity checks on my own be­hav­ior by ask­ing my­self a set of ques­tions. I have of course in­cluded the ques­tions.

Heart­bleed Re­search Challenges this Post Ad­dresses:

- There are ap­par­ent con­tra­dic­tions be­tween sources about which sites were af­fected by Heart­bleed, which sites have up­dated for Heart­bleed, which sites need a pass­word re­set, and whether to change your pass­words now or wait un­til the com­pany has up­dated for Heart­bleed. For in­stance, Ya­hoo said Face­book was not vuln­er­a­ble. [6] LastPass said Face­book was con­firmed vuln­er­a­ble and recom­mended a pass­word up­date. [7]

- Com­pa­nies are putting out a lot of “fluffspeek”*, which makes it difficult to figure out which of your ac­counts have been af­fected, and which com­pa­nies have up­dated their soft­ware.

- Most sources *ei­ther* spe­cial­ize in writ­ing for end-users *or* are cred­ible sources on com­puter se­cu­rity, not both.

- Differ­ent ar­ti­cles have differ­ent sets of Heart­bleed in­struc­tions. None of the ar­ti­cles I saw con­tained ev­ery in­struc­tion.

- A lot of what’s out there is just ridicu­lous hype. [8]

Disclaimer

I am not a se­cu­rity spe­cial­ist, nor am I cer­tified in any se­cu­rity-re­lated area. I am an IT per­son who has ran­domly read a bunch of se­cu­rity liter­a­ture over the last 15 years, but there *is* a definite qual­ity differ­ence be­tween an IT per­son who has read se­cu­rity liter­a­ture and a pro­fes­sional who is ded­i­cated to se­cu­rity. I can’t give you any guaran­tees (though I’m not sure it’s wise to ac­cept that from the spe­cial­ists ei­ther). Another prob­lem here is time. I wanted to act ASAP. With hack­ers on the loose, I do not think it wise to in­vest the time it would take me to cre­ate a Gw­ern style mas­ter­piece. This isn’t ex­actly slapped to­gether, but I am work­ing within time con­straints, so it’s not perfect. If you have some­thing im­por­tant to pro­tect, or have the money to spend, con­sult a se­cu­rity spe­cial­ist.

Com­pila­tion of Heart­bleed Instructions


Be­ware fraud­u­lent pass­word re­set emails and shiny Heart­bleed fixes.

With all the real pass­word re­set emails go­ing around, there are a lot of scam artists out there hop­ing to sneak in some dupes. A lot of peo­ple get con­fused. It doesn’t mean you’re stupid. If you clicked a nasty link, or even if you’re not sure, call the com­pany’s fraud de­part­ment im­me­di­ately. That’s why they’re there. [9] Always be care­ful about any­thing that seems too good to be true, as the scam artists have also be­gun to ad­ver­tise Heart­bleed “fixes” as bait.


If the site hasn’t done an up­date, it’s risky to change your pass­word.

Why: This may in­crease your risk. If Heart­bleed isn’t fixed, any new pass­word you type in could be stolen, and a lot of crim­i­nals are prob­a­bly do­ing what­ever they can to ex­ploit Heart­bleed right now since they just found out about it. “Chang­ing your pass­word be­fore re­ceiv­ing no­tice about a fixed ser­vice may only re­veal your new pass­word to an at­tacker.” [10]


If you use digi­tal pass­word stor­ing, con­sider whether it is se­cure.

Some digi­tal pass­word stor­ing soft­ware is way bet­ter than oth­ers. I can’t recom­mend one, but be care­ful which one you choose. Also, check them for Heart­bleed.


If you already changed your pass­word, and then a site up­dates or says “change your pass­word” do it again.

Why change it twice?: If you changed it be­fore the up­date, you were send­ing that new pass­word over a con­nec­tion with a nasty se­cu­rity flaw. Con­sider that pass­word “po­ten­tially stolen” and make a new one. “Chang­ing your pass­word be­fore re­ceiv­ing no­tice about a fixed ser­vice may only re­veal your new pass­word to an at­tacker.” [10]


If a com­pany says “no need to change your pass­word” do you re­ally want to be­lieve them?

There’s a per­verse in­cen­tive for com­pa­nies to tell you “ev­ery­thing is fine” when in fact it is not fine, be­cause no­body wants to be seen as hav­ing bad se­cu­rity on their web­site. Also, if some­one did steal your pass­word through this bug, it’s not trace­able to the bug. Com­pa­nies could con­ceiv­ably claim “things are fine” with­out much ac­countabil­ity. “Ex­ploita­tion of this bug leaves no traces of any­thing ab­nor­mal hap­pen­ing to the logs.” [11] I do not know whether, in prac­tice, com­pa­nies re­spond to similar per­verse in­cen­tives, or if some un­known thing keeps them in check, but I have ob­served plenty of com­pa­nies tak­ing ad­van­tage of other per­verse in­cen­tives. Health care rescis­sion for in­stance. That af­fected much more im­por­tant things than data.


When a site has done a Heart­bleed up­date, *then* change your pass­word.

That’s the time to do it. “Chang­ing your pass­word be­fore re­ceiv­ing no­tice about a fixed ser­vice may only re­veal your new pass­word to an at­tacker.” [10]


Se­cu­rity Ques­tions

Noth­ing pro­tected your mother’s maiden name or the street you grew up on from Heart­bleed any more than your pass­words or other data. A stolen se­cu­rity ques­tion can be a much big­ger risk than a stolen pass­word, es­pe­cially if you used the same one on mul­ti­ple differ­ent ac­counts. When you change your pass­word, also con­sider whether you should change your se­cu­rity ques­tions. Think about chang­ing them to some­thing hard to guess, unique to that ac­count, and re­mem­ber that you don’t have to fill out your se­cu­rity ques­tions with ac­cu­rate in­for­ma­tion. If you filled the ques­tions out in the last two years, there’s a risk that they were stolen, too.


How do I know if a site up­dated?

Method One:

Qualys SSL Labs, an In­for­ma­tion Se­cu­rity Provider cre­ated a free SSL Server Test. Just plug in the do­main name and Qualys will gen­er­ate a re­port. Yes, it checks the cer­tifi­cate, too. (Very im­por­tant.)

Qualys Server Test

Method Two:

CERT, a ma­jor se­cu­rity flaw ad­vi­sory pub­lisher, listed some (not all!) of the sites that have up­dated. If you want a list, you should use CERT’s list, not other lists.

CERT’s List

Why CERT’s list? Hear­ing “not vuln­er­a­ble” on some news web­site’s list does not mean that any in­de­pen­dent or­ga­ni­za­tion ver­ified that the site was fine, nor that an in­de­pen­dent or­ga­ni­za­tion even has the abil­ity to ver­ify that the site has been safe for the en­tire last two years. If any­one can do that job, it would be CERT, but I am not un­aware of tests of their abil­ities in that re­gard. Also, there is no fluffspeek*.


Method Three:

Search the site it­self for the word “Heart­bleed” and read the ar­ti­cles that come up. If the site had to do a Heart­bleed up­date, change your pass­word. Here’s the quick way to search a whole site in Google (do not add “www”):

site:web­site­name.com Heart­bleed


If an im­por­tant site hasn’t up­dated yet:

If you have sen­si­tive data stored there, don’t log into that site un­til it’s fixed. If you want to pro­tect it, call them up and try to change your pass­word by phone or lock the ac­count down. “Stick to rep­utable web­sites and ser­vices, as those sites are most likely to have ad­dressed the vuln­er­a­bil­ity right away.” [10]


Check your routers, mo­bile phones, and other de­vices.

Yes, re­ally. [13] [14]


If you have even the tiniest web­site:

Don’t think “There’s noth­ing to steal on my web­site”. Spam­mers always want to get into your web­site. Hack­ers make soft­ware that ex­ploits bugs and can share or sell that soft­ware. If a hacker shares a tool that ex­ploits Heart­bleed and your site is vuln­er­a­ble, spam­mers will get the tool and could make a huge mess out of ev­ery­thing. That can get you black­listed and dis­rupt email, it can get you re­moved from Google search en­g­ine re­sults, it can dis­rupt your on­line ad­ver­tis­ing … it can be a mess.

Get a se­cu­rity ex­pert in­volved to look for all the places where Heart­bleed may have caused a se­cu­rity risk on your site, prefer­ably one who knows about all the differ­ent ser­vices that your web­site might be us­ing. “Ser­vices” mean­ing things like a ven­dor that you pay so your web­site can send bulk text mes­sages for two-fac­tor au­then­ti­ca­tion, or a free ser­vice that lets users do “so­cial sign on” to log into your site with an ex­ter­nal ser­vice like Ya­hoo. The pos­si­bil­ities for Heart­bleed to cause prob­lems on your web­site, through these kinds of ser­vices, is re­ally pretty enor­mous. Both paid ser­vices and free ser­vices could be af­fected.

A sysad­min needs to check the server your site is on to figure out if it’s got the Heart­bleed bug and up­date it.

Re­mem­ber to check your var­i­ous web providers like do­main name reg­is­tra­tion ser­vices, web host­ing com­pany, etc.

Ra­tion­al­ity Learn­ing Op­por­tu­nity (The Ques­tions)

We won’t get many op­por­tu­ni­ties to think about how we re­act in a dis­aster. For ob­vi­ous eth­i­cal rea­sons, we can’t ex­actly cre­ate dis­asters in or­der to test our­selves. I am tak­ing the op­por­tu­nity to re­flect on my re­ac­tions and am shar­ing my method for do­ing this. Here are some ques­tions I asked my­self which are de­signed to en­courage re­flec­tion. I ad­mit to hav­ing made two mis­takes at first: I did not ap­ply rigor­ous skep­ti­cism to each news source right from the very first ar­ti­cle I read, and the mis­take of un­der­es­ti­mat­ing the full ex­tent of what it would take to ad­dress the is­sue. What saved me was notic­ing my con­fu­sion.

When you first heard about Heart­bleed, did you fail to re­act? (Nor­malcy bias)

When you first learned about the risk, what prob­a­bil­ity did you as­sign to be­ing af­fected by it? What prob­a­bil­ity do you as­sign now? (Op­ti­mism bias)

Were you sur­prised to find out that some­one in your life did not know about Heart­bleed, and re­gret not tel­ling them when it had oc­curred to you to tell them? (By­s­tan­der effect)

What did you think it was go­ing to take to ad­dress Heart­bleed? Did you un­der­es­ti­mate what it would take to ad­dress it com­pe­tently? (Dun­ning-Kruger effect)

After read­ing news sources on Heart­bleed in­struc­tions, were you sur­prised later that some of them were wrong?

How much time did you think it would take to ad­dress the is­sue? Did it take longer? (Plan­ning fal­lacy)

Did you ig­nore Heart­bleed? (Ostrich effect)

*Fluffspeek:

Com­pa­nies, of course, want to pre­sent a re­spectable face to cus­tomers, so most of them are not just com­ing out and say­ing “We were af­fected by Heart­bleed. We have up­dated. It’s time to change your pass­word now.” In­stead, some have been writ­ing fluff like:

“We see no ev­i­dence that data was stolen.”

Ac­cord­ing to the com­pany that found this bug, Heart­bleed doesn’t leave a trail in the logs. [15] If some­one did steal your pass­word, would there be ev­i­dence any­way? Maybe some re­ally were able to rule that out some­how. Pos­i­tivity bias, a type of con­fir­ma­tion bias, is an im­por­tant pos­si­bil­ity here. Maybe, like many hu­mans, these com­pa­nies sim­ply failed to “Look into the dark” [16] and think of al­ter­nate ex­pla­na­tions for the ev­i­dence they’re see­ing (or not see­ing, which can some­times be ev­i­dence [17], but not use­ful ev­i­dence in this case).

“We didn’t bother to tell you whether we up­dated for Heart­bleed, but it’s always a good idea to change your pass­word how­ever of­ten.”

Un­less you know each web­site has up­dated for Heart­bleed, there’s a chance that you’re go­ing to go out and send your new pass­words right through a bunch of web­site’s Heart­bleed se­cu­rity holes as you’re chang­ing them. Now that Heart­bleed is big news, ev­ery hacker and script kid­die on planet earth prob­a­bly knows about it, which means there are prob­a­bly way more peo­ple try­ing to steal pass­words through Heart­bleed than be­fore. Which is the greater risk? En­ter­ing in a new pass­word while the site is leak­ing pass­words in a po­ten­tially hacker-in­fested en­vi­ron­ment, or leav­ing your po­ten­tially stolen pass­word there un­til the site has up­dated? Worse, if peo­ple *did not* change their pass­word af­ter the up­date be­cause they already changed it *be­fore* the up­date, they’ve got a false sense of se­cu­rity about the prob­a­bil­ity that their pass­word was stolen. Maybe some these com­pa­nies up­dated for Heart­bleed be­fore say­ing that. Maybe the bug was com­pletely non-ap­pli­ca­ble for them. Re­gard­less, I think end users de­serve to know that up­dat­ing their pass­word be­fore the Heart­bleed up­date car­ries a risk. Users need to be told whether an up­date has been ap­plied. As James Lynn wrote for Forbes, “Forc­ing cus­tomers to guess or test them­selves is just neg­li­gent.” [8]

”Fluffspeek” is a play on “leet­speek”, a term used to de­scribe bits of text full of num­bers and sym­bols that is at­tributed to silly “hack­ers”. Some PR fluff may be a de­liber­ate at­tempt to ex­ploit oth­ers, similar in some ways to the ma­nipu­la­tion tech­niques pop­u­lar among black hat hack­ers, called so­cial en­g­ineer­ing. Even when it’s not de­liber­ate, this kind of garbage is prob­a­bly about as ugly to most peo­ple with half a brain as “I AM AN 31337 HACKER!!!1”, so is still fit­ting.

Refer­ences:

1. http://​​less­wrong.com/​​lw/​​ka/​​hold_off_on_propos­ing_solu­tions/​​

2. http://​​money.cnn.com/​​2014/​​04/​​09/​​tech­nol­ogy/​​se­cu­rity/​​Heart­bleed-bug/​​

3. http://​​blog.cloud­flare.com/​​the-re­sults-of-the-cloud­flare-challenge

4. http://​​www.cra-arc.gc.ca/​​gncy/​​sttmnt2-eng.html

5. https://​​www.eff.org/​​deeplinks/​​2014/​​04/​​wild-heart-were-in­tel­li­gence-agen­cies-us­ing-Heart­bleed-novem­ber-2013

6. http://​​fi­nance.ya­hoo.com/​​blogs/​​break­out/​​Heart­bleed-se­cu­rity-flaw—how-to-pro­tect-your­self-172552932.html

7. https://​​last­pass.com/​​Heart­bleed/​​?h=face­book.com

8. Forbes.com “Avoid­ing Heart­bleed Hype, What To Do To Stay Safe” (I can’t link to this for some rea­son but you can do a search.)

9. http://​​www.net-se­cu­rity.org/​​sec­world.php?id=16671

10. http://​​www.cnbc.com/​​id/​​101569136

11. http://​​Heart­bleed.com/​​

12. https://​​com­mu­nity.nor­ton.com/​​t5/​​Nor­ton-Pro­tec­tion-Blog/​​Heart­bleed-Bug-What-You-Need-to-Know-and-Se­cu­rity-Tips/​​ba-p/​​1120128

13. http://​​on­line.wsj.com/​​news/​​ar­ti­cles/​​SB10001424052702303873604579493963847851346

14. Forbes.com “A Billion Smart­phone Users May Be Affected by the Heart­bleed Se­cu­rity Flaw” (I can’t link to this for some rea­son but you can do a search.)

15. http://​​Heart­bleed.com/​​

16. http://​​less­wrong.com/​​lw/​​iw/​​pos­i­tive_bias_look_into_the_dark/​​

17. http://​​less­wrong.com/​​lw/​​ih/​​ab­sence_of_ev­i­dence_is_ev­i­dence_of_ab­sence/​​