Wednesday, 16 April 2014

Heartache from Heartbleed goes on and on

Following on from our earlier post on the Heartbleed bug we wanted to remind you of some of the lessons learned and also to remind the reader of best practice regarding securing yourselves on the internet.
The Heartbleed bug again demonstrated that regardless of the precautions taken when using the internet you can still fall foul of information release or compromise from third party sites or systems. We no longer (alas) live in a world where trust is implicit and ok.
There was a time (not that long ago) that it was normal to leave your home unlocked and if a stranger asked a question or wanted information then it was ok to answer truthfully. We live now in a world where your information is valued and can be combined to infer more or to become more of a commodity. Your date of birth, place of birth, name of your pet or favourite colour can now aid an adversary to begin unpicking your digital and online identities. The simple passwords that proved to be convenient to remember and use across multiple domains and sites can now come back and result in widespread damage to reputations and credibility. Our online footprint can reveal the actual answers of most typical security questions to a skilled or determined attacker rendering the secrets anything but that.
With the notable exception of Government or Healthcare systems it now could be the time to begin lying on the internet; when I personally sign up for services I take a number of simple precautions that when combined offer more benefits than the truth has and these include (and are not limited to) -
Date of Birth – why does any non official site want or need this information, I’ve not been truthful about answering this question, varying the day, month and year frequently and without any real method apart from not using the actual date.
Place of Birth – my Bank knows this, my medical records and passport have this but why should a website want or need the real answer?
Pet’s name – I use random values when asked
Address – Unless I’m paying for goods / services or expecting something to be delivered to my home address I will use a fictitious one
The same goes for favourite colour, first car, school, mother’s maiden name - anything that isn’t actually needed is changed and rarely (if at all) the real information supplied. The sites I’m signing up with don’t need the real information; they just want something they can validate you against if you ever need to prove who you are. I make a note of the information given to each site in a note section of the password manager I use, if I ever need to answer the question of “Where did I go to school?” I can check the corresponding details and answer “Third moon of Pluto” (assuming that’s the answer I gave). The exceptions to this are things that I can control or have more authority over (ie: phone or mobile numbers) as these can sometimes be used for two factor authorisation or reset dialogue. If someone is able to clone my phone or steal my handset then I have more to worry about than a password at that point.

The most beneficial two tactics I employ on the internet are using unique email addresses and unique passwords. Not everyone can use the unique email addresses as it needs a suitable email setup to receive the mail, the benefit of having it ensures that if I start getting unwanted 3rd party email to a unique email address I know that either that email has been sold to spammers or the service I used it with has been compromised; it’s a good safeguard but needs extra effort to manage and check multiple addresses.
The most important single thing that anyone and everyone can do on the internet is to use complicated and unique passwords. There are downsides to this but the protection this one single action allows is worth it. As Heartbleed and high profile breaches have demonstrated, regardless of the steps we take to protect ourselves on the internet we can still fall foul if servers and services are compromised or our data released. If a service or server I subscribe to is breached and my data is released, it’s generally one (unique) email address and one random password lost. I employ a password manager to maintain the majority of my general passwords (this has the benefit of assisting in the memorising of them and the input of the same), I don’t use the password manager for my most important credentials, and these are deliberately not written down anywhere nor saved anywhere where they could be found; they are the exceptions. My password manager also has additional security that allows me to use two factor authentications. I chose and use two factor authentications wherever possible, anything that makes it harder for my credentials to be usurped is worth using.
A typical password I use is limited only by my imagination and the complexity rules of the site I’m signing up with, it’s not unusual for me to use 25+ char passwords that include special characters, upper, lower case and numbers and spaces. They are painful if I have to input them manually anywhere (such as tablets or games consoles) but that annoyance is worth it when I consider the value of the protection of complex passwords that aren’t used anywhere else. If my password needs updating or changing it’s a simple act; if that password or username/password combination is used on all sites the risks of data loss or compromise isn’t something I could or would want to deal with.
The Heartbleed bug will have a long lasting impact, the depth of the problem is still being fully analysed, it’s not just websites that were/are affected, the nature of the modern world means that there are embedded OpenSSL instances in all sorts of unexpected and difficult to patch places (home routers, firewalls, mobile phones and so on). I suspect there will be ongoing attacks for years to come and it should be accepted that some of the vulnerable systems and services will never be fixed or solutions made available. You may be able to trust the online service / bank or the like but that won’t be able to stop you being owned or affected by seemingly safe devices. We cannot be certain where the OpenSSL Heartbleed bug can be found but we can do everything else to minimise the problems caused if we unknowingly have our information disclosed or released.
Anyone that still has an easy or common password needs to rethink how they are potentially exposed if that information or password is released. We in 2014 are still facing an ongoing problem of common passwords breaking security and trust, if you can authenticate to anything using 123456 or password, qwerty or princess, trustno1 or admin or anything that isn’t “complicated” and using all the characters’ available then you’re taking a risk.  I would like to see services and sites ban people from using simple words or limit their choice to alpha numeric alone with fixed max length under 10.
Complexity is good, length is beneficial. Simplicity in passwords should be consigned to the yesteryear when it was ok to leave your car or house unlocked and have a hope that your possessions and property would still be there anytime afterwards. That age has gone, let’s make sure our weak passwords don’t undermine the security in this modern world we live in. The internet is a wonderful place to be but not one you should blindly trust with anything other than unique throwaway information.
Jamie Duxbury, Senior Security Specialist


No comments:

Post a Comment