My Heartbleed learning experience and alternative to poor quality Heartbleed instructions.

Due to the difficulty of finding high-quality Heartbleed instructions, I have discovered that perfectly good, intelligent rationalists either didn’t do all that was needed and ended up with a false sense of security or did things that increased their risk without realizing it and needed to take some additional steps. Part of the problem is that organizations who write for end users do not specialize in computer security and vice versa, so many of the Heartbleed instructions for end users had issues. The issues range from conflicting and confusing information to outright ridiculous hype. As an IT person and a rationalist, I knew better than to jump to the proposing solutions phase before researching [1]. Recognizing the need for well thought out Heartbleed instructions, I spent 10-15 hours sorting through the chaos to create more comprehensive Heartbleed instructions. I’m not a security expert, but as an IT person who has read about computer security out of a desire for professional improvement and also due to curiosity and is familiar with various research issues, cognitive biases, logical fallacies, etc, I am not clueless either. In light of this being a major event that some sources are calling one of the worst security problems ever to happen on the Internet [2], that has been proven to be more than a theoretical risk (Four people hacked the keys to the castle out of Cloudflare’s challenge in just one day.) [3], that has been badly exploited (900 Canadian social insurance numbers were leaked today. [4]), and some evidence exists that it may have been used for spying for a long time (EFF found evidence of someone spying on IRC conversations. [5]), I think it’s important to share my compilation of Heartbleed instructions just so that a better list of instructions is out there. More importantly, this disaster is a very rare rationality learning opportunity: reflecting on our behavior and comparing it with what we realize we should have done after becoming more informed may help us see patches of irrationality that could harm us during future disasters. For that reason, I did some rationality checks on my own behavior by asking myself a set of questions. I have of course included the questions.

Heartbleed Research Challenges this Post Addresses:

- There are apparent contradictions between sources about which sites were affected by Heartbleed, which sites have updated for Heartbleed, which sites need a password reset, and whether to change your passwords now or wait until the company has updated for Heartbleed. For instance, Yahoo said Facebook was not vulnerable. [6] LastPass said Facebook was confirmed vulnerable and recommended a password update. [7]

- Companies are putting out a lot of “fluffspeek”*, which makes it difficult to figure out which of your accounts have been affected, and which companies have updated their software.

- Most sources *either* specialize in writing for end-users *or* are credible sources on computer security, not both.

- Different articles have different sets of Heartbleed instructions. None of the articles I saw contained every instruction.

- A lot of what’s out there is just ridiculous hype. [8]

Disclaimer

I am not a security specialist, nor am I certified in any security-related area. I am an IT person who has randomly read a bunch of security literature over the last 15 years, but there *is* a definite quality difference between an IT person who has read security literature and a professional who is dedicated to security. I can’t give you any guarantees (though I’m not sure it’s wise to accept that from the specialists either). Another problem here is time. I wanted to act ASAP. With hackers on the loose, I do not think it wise to invest the time it would take me to create a Gwern style masterpiece. This isn’t exactly slapped together, but I am working within time constraints, so it’s not perfect. If you have something important to protect, or have the money to spend, consult a security specialist.

Compilation of Heartbleed Instructions


Beware fraudulent password reset emails and shiny Heartbleed fixes.

With all the real password reset emails going around, there are a lot of scam artists out there hoping to sneak in some dupes. A lot of people get confused. It doesn’t mean you’re stupid. If you clicked a nasty link, or even if you’re not sure, call the company’s fraud department immediately. That’s why they’re there. [9] Always be careful about anything that seems too good to be true, as the scam artists have also begun to advertise Heartbleed “fixes” as bait.


If the site hasn’t done an update, it’s risky to change your password.

Why: This may increase your risk. If Heartbleed isn’t fixed, any new password you type in could be stolen, and a lot of criminals are probably doing whatever they can to exploit Heartbleed right now since they just found out about it. “Changing your password before receiving notice about a fixed service may only reveal your new password to an attacker.” [10]


If you use digital password storing, consider whether it is secure.

Some digital password storing software is way better than others. I can’t recommend one, but be careful which one you choose. Also, check them for Heartbleed.


If you already changed your password, and then a site updates or says “change your password” do it again.

Why change it twice?: If you changed it before the update, you were sending that new password over a connection with a nasty security flaw. Consider that password “potentially stolen” and make a new one. “Changing your password before receiving notice about a fixed service may only reveal your new password to an attacker.” [10]


If a company says “no need to change your password” do you really want to believe them?

There’s a perverse incentive for companies to tell you “everything is fine” when in fact it is not fine, because nobody wants to be seen as having bad security on their website. Also, if someone did steal your password through this bug, it’s not traceable to the bug. Companies could conceivably claim “things are fine” without much accountability. “Exploitation of this bug leaves no traces of anything abnormal happening to the logs.” [11] I do not know whether, in practice, companies respond to similar perverse incentives, or if some unknown thing keeps them in check, but I have observed plenty of companies taking advantage of other perverse incentives. Health care rescission for instance. That affected much more important things than data.


When a site has done a Heartbleed update, *then* change your password.

That’s the time to do it. “Changing your password before receiving notice about a fixed service may only reveal your new password to an attacker.” [10]


Security Questions

Nothing protected your mother’s maiden name or the street you grew up on from Heartbleed any more than your passwords or other data. A stolen security question can be a much bigger risk than a stolen password, especially if you used the same one on multiple different accounts. When you change your password, also consider whether you should change your security questions. Think about changing them to something hard to guess, unique to that account, and remember that you don’t have to fill out your security questions with accurate information. If you filled the questions out in the last two years, there’s a risk that they were stolen, too.


How do I know if a site updated?

Method One:

Qualys SSL Labs, an Information Security Provider created a free SSL Server Test. Just plug in the domain name and Qualys will generate a report. Yes, it checks the certificate, too. (Very important.)

Qualys Server Test

Method Two:

CERT, a major security flaw advisory publisher, listed some (not all!) of the sites that have updated. If you want a list, you should use CERT’s list, not other lists.

CERT’s List

Why CERT’s list? Hearing “not vulnerable” on some news website’s list does not mean that any independent organization verified that the site was fine, nor that an independent organization even has the ability to verify that the site has been safe for the entire last two years. If anyone can do that job, it would be CERT, but I am not unaware of tests of their abilities in that regard. Also, there is no fluffspeek*.


Method Three:

Search the site itself for the word “Heartbleed” and read the articles that come up. If the site had to do a Heartbleed update, change your password. Here’s the quick way to search a whole site in Google (do not add “www”):

site:websitename.com Heartbleed


If an important site hasn’t updated yet:

If you have sensitive data stored there, don’t log into that site until it’s fixed. If you want to protect it, call them up and try to change your password by phone or lock the account down. “Stick to reputable websites and services, as those sites are most likely to have addressed the vulnerability right away.” [10]


Check your routers, mobile phones, and other devices.

Yes, really. [13] [14]


If you have even the tiniest website:

Don’t think “There’s nothing to steal on my website”. Spammers always want to get into your website. Hackers make software that exploits bugs and can share or sell that software. If a hacker shares a tool that exploits Heartbleed and your site is vulnerable, spammers will get the tool and could make a huge mess out of everything. That can get you blacklisted and disrupt email, it can get you removed from Google search engine results, it can disrupt your online advertising … it can be a mess.

Get a security expert involved to look for all the places where Heartbleed may have caused a security risk on your site, preferably one who knows about all the different services that your website might be using. “Services” meaning things like a vendor that you pay so your website can send bulk text messages for two-factor authentication, or a free service that lets users do “social sign on” to log into your site with an external service like Yahoo. The possibilities for Heartbleed to cause problems on your website, through these kinds of services, is really pretty enormous. Both paid services and free services could be affected.

A sysadmin needs to check the server your site is on to figure out if it’s got the Heartbleed bug and update it.

Remember to check your various web providers like domain name registration services, web hosting company, etc.

Rationality Learning Opportunity (The Questions)

We won’t get many opportunities to think about how we react in a disaster. For obvious ethical reasons, we can’t exactly create disasters in order to test ourselves. I am taking the opportunity to reflect on my reactions and am sharing my method for doing this. Here are some questions I asked myself which are designed to encourage reflection. I admit to having made two mistakes at first: I did not apply rigorous skepticism to each news source right from the very first article I read, and the mistake of underestimating the full extent of what it would take to address the issue. What saved me was noticing my confusion.

When you first heard about Heartbleed, did you fail to react? (Normalcy bias)

When you first learned about the risk, what probability did you assign to being affected by it? What probability do you assign now? (Optimism bias)

Were you surprised to find out that someone in your life did not know about Heartbleed, and regret not telling them when it had occurred to you to tell them? (Bystander effect)

What did you think it was going to take to address Heartbleed? Did you underestimate what it would take to address it competently? (Dunning-Kruger effect)

After reading news sources on Heartbleed instructions, were you surprised later that some of them were wrong?

How much time did you think it would take to address the issue? Did it take longer? (Planning fallacy)

Did you ignore Heartbleed? (Ostrich effect)

*Fluffspeek:

Companies, of course, want to present a respectable face to customers, so most of them are not just coming out and saying “We were affected by Heartbleed. We have updated. It’s time to change your password now.” Instead, some have been writing fluff like:

“We see no evidence that data was stolen.”

According to the company that found this bug, Heartbleed doesn’t leave a trail in the logs. [15] If someone did steal your password, would there be evidence anyway? Maybe some really were able to rule that out somehow. Positivity bias, a type of confirmation bias, is an important possibility here. Maybe, like many humans, these companies simply failed to “Look into the dark” [16] and think of alternate explanations for the evidence they’re seeing (or not seeing, which can sometimes be evidence [17], but not useful evidence in this case).

“We didn’t bother to tell you whether we updated for Heartbleed, but it’s always a good idea to change your password however often.”

Unless you know each website has updated for Heartbleed, there’s a chance that you’re going to go out and send your new passwords right through a bunch of website’s Heartbleed security holes as you’re changing them. Now that Heartbleed is big news, every hacker and script kiddie on planet earth probably knows about it, which means there are probably way more people trying to steal passwords through Heartbleed than before. Which is the greater risk? Entering in a new password while the site is leaking passwords in a potentially hacker-infested environment, or leaving your potentially stolen password there until the site has updated? Worse, if people *did not* change their password after the update because they already changed it *before* the update, they’ve got a false sense of security about the probability that their password was stolen. Maybe some these companies updated for Heartbleed before saying that. Maybe the bug was completely non-applicable for them. Regardless, I think end users deserve to know that updating their password before the Heartbleed update carries a risk. Users need to be told whether an update has been applied. As James Lynn wrote for Forbes, “Forcing customers to guess or test themselves is just negligent.” [8]

”Fluffspeek” is a play on “leetspeek”, a term used to describe bits of text full of numbers and symbols that is attributed to silly “hackers”. Some PR fluff may be a deliberate attempt to exploit others, similar in some ways to the manipulation techniques popular among black hat hackers, called social engineering. Even when it’s not deliberate, this kind of garbage is probably about as ugly to most people with half a brain as “I AM AN 31337 HACKER!!!1”, so is still fitting.

References:

1. http://​​lesswrong.com/​​lw/​​ka/​​hold_off_on_proposing_solutions/​​

2. http://​​money.cnn.com/​​2014/​​04/​​09/​​technology/​​security/​​Heartbleed-bug/​​

3. http://​​blog.cloudflare.com/​​the-results-of-the-cloudflare-challenge

4. http://​​www.cra-arc.gc.ca/​​gncy/​​sttmnt2-eng.html

5. https://​​www.eff.org/​​deeplinks/​​2014/​​04/​​wild-heart-were-intelligence-agencies-using-Heartbleed-november-2013

6. http://​​finance.yahoo.com/​​blogs/​​breakout/​​Heartbleed-security-flaw—how-to-protect-yourself-172552932.html

7. https://​​lastpass.com/​​Heartbleed/​​?h=facebook.com

8. Forbes.com “Avoiding Heartbleed Hype, What To Do To Stay Safe” (I can’t link to this for some reason but you can do a search.)

9. http://​​www.net-security.org/​​secworld.php?id=16671

10. http://​​www.cnbc.com/​​id/​​101569136

11. http://​​Heartbleed.com/​​

12. https://​​community.norton.com/​​t5/​​Norton-Protection-Blog/​​Heartbleed-Bug-What-You-Need-to-Know-and-Security-Tips/​​ba-p/​​1120128

13. http://​​online.wsj.com/​​news/​​articles/​​SB10001424052702303873604579493963847851346

14. Forbes.com “A Billion Smartphone Users May Be Affected by the Heartbleed Security Flaw” (I can’t link to this for some reason but you can do a search.)

15. http://​​Heartbleed.com/​​

16. http://​​lesswrong.com/​​lw/​​iw/​​positive_bias_look_into_the_dark/​​

17. http://​​lesswrong.com/​​lw/​​ih/​​absence_of_evidence_is_evidence_of_absence/​​