Android and HeartBleed - Your Device May Be Vulnerable (so what should you do)?

Great.  Some versions of Android are also vulnerable to the HeartBleed bug.  Since I use an Android phone, I thought I better look into this.

First, I located someone else's article about this and noted that it contained too much technical detail for people who have no time for, or interest in these computer issues.  To be fair, it was a well-written article, and I had no problem understanding it, but then, I am a geek.  In fact I have been working in the field of Information Security for the past 11 years, and in many other computer-related positions for the 19 years prior to that.  However, I also know how painful it can be for anyone who does not deal with these things every day to understand what's going on, and what they can/should do about it.

Most people don't really CARE about the details, so I will continue to try to skip details and stick to facts and reasonably easy to follow information. The article I read (link if you wish to read it) provided the first simple thing that Android users can do to determine whether or not they should even care - a link to a FREE App from a respectable company named Lookout that scans your device to see if it is vulnerable.

https://play.google.com/store/apps/details?id=com.lookout.heartbleeddetector

I downloaded that immediately and ran the test.  In my particular case, the device I tested did indeed have vulnerable software, but the exploitable piece of it was not enabled.*   Here is what the App displayed on my screen:    

Well, that was a slight relief.  According to the App and the author of the article I read, if the version installed is not vulnerable, OR if the vulnerable behavior is not enabled, then I should be just fine. 

But what can/should we do about things if our device really is affected?  I needed to do more research into this, because some of you may not be as fortunate as I was, and I think an article such as this is pointless if it is not helpful to others.

Let's step back just a little bit first.  The question I hear most is "what, if anything, can someone steal from my phone?  My pictures? My text messages?". Then they say "I don't have anything I care about on my phone, so who cares?" 

Well, here is what you should care about:

An attacker could quickly build a malicious website or advertisement to steal data from your phone's memory, just by your visit to the malicious site, or a site with the malicious advertisement. To which the next question I hear is:  "So what?  What's in my phone's memory that I don't know about or that is of value to anyone else?"

Well, if you happen to be using that smart phone of yours to browse the Internet, and that browser has other tabs open to a banking site, facebook, other financial sites, and you also browse to that malicious site, or a site with that malicious advertisement within another browser tab, the attacker could take data from any of the other tabs that are open.  I won't go into the details of "how" they can do this, but please trust me when I say that they can.  I have had enough experience with hacking tools to know this to be true.

They "may" also be able to steal data from your phone's memory by visiting JUST their site, because your phone tends to keep this information in memory to help you access email, Facebook, and other applications without forcing you to re-enter your password every time.  They won't necessarily be able to steal a whole document, picture, other files from your phone, but they can easily steal your ID and password from any of those other sites by accessing your phone's memory.  Once they have your ID and password(s), it's game over.

What to do if your Android device is vulnerable:

Further research has revealed to me that a patch has been created by Google, but each Carrier/phone maker needs to test it and make sure it works on their devices before pushing it out to our phones.  As a result, it will take a fair amount of time for this new software to get out the the several million phones that are affected.  In fact, some phones may never be able to be upgraded to the version Google claims is not affected because they are simply not capable of running that version due to design limitations.

Sounds pretty gloomy, I know.  However, here are a few things that come to mind that you can do to reduce the risks of continuing to use your Android devices. This does NOT eliminate all risk, but it is less risky and something you can do while waiting for the patched software.

1. Restrict yourself to running only one App at a time.  Android allows us to run multiple applications at the same time which can be quite handy.  However, that also means the data for each is loaded into memory, which makes it more vulnerable to exposure by this HeartBleed bug.  To reduce this risk you should restrict yourself to running only one App at a time.  The problem is that every time you open an App, the previous App you had open remains open in the background.  Fortunately, Android allows us to close any one or more Apps we no longer want to keep running.  I won't spell out how to do this for every Android device, but here is a link to an article that does a pretty good job of explaining how to do this with several popular models:  http://blog.laptopmag.com/how-to-close-android-apps  My Samsung Galaxy phone simply requires that I hold down the center menu button and a list of running Apps will appear so I can close them.
2. Browse only one website at a time.  In other words, when finished with one site, close that site completely before browsing any other site.  If you happen to hit a malicious site, at least it won't be able to access information from other open sites becaus ethey will no longer be in the phone's memory.
3. Avoid using Android VPN client software unless/until it is patched.  If you happen to use your phone to connect to your work network, or some other secure site using a Virtual Private Network (VPN) App, you should look for a patched version because many of these were built using the vulnerable code.  Open VPN would efinitely fit into this category, but I'm sure there are many others that make use of the encryption software that is vulnerable. 

  
* Just FYI: the exploitable piece is the "Heartbeat" feature that was added 2 years ago which can be manipulated by an attacker to expose sensitive data; hence the nickname of Heart "Bleed" for this bug.

   

How I Dealt With Heart Bleed Password Changes

You will notice, if you have done any research at all about this HeartBleed issue, that from an end user’s point of view, “almost” everyone recommends changing your passwords.  I say “almost” because there are a few articles out there recommending that you don’t change your passwords; at least not immediately.  There is good reason for them to recommend that you delay the password change.  This is because the site for which you change your password may not yet have been patched.  If that is the case, then changing the password before it is patched means you will need to go back and change it again later because the risk of it being exposed is still there.

So, what should you do? Change it, or don’t change it?  Below are my recommendations for dealing with this HeartBleed/Password dilemma in as logical a way as I can dream up.  I hope it helps.  I also recommend that you read my other post regarding password management.

 

My suggested approach for changing passwords in the wake of the HeartBleed bug:

1)      I changed my personal email password FIRST, because many password reset methods for various websites use it when you “forget” your password for their website.  Hackers know this, and so if they can get your email password, they can proceed to change passwords at your financial sites if they wish.  This is why I always recommend you choose a unique strong password for your email that you DO NOT use anywhere else.

a.       First, I tested the URL associated with my personal email account (I happen to use Gmail) for the HeartBleed vulnerability.  I went to the HeartBleed test site http://filippo.io/Heartbleed/  and entered the Gmail URL ( mail.google.com ) and was informed that the site is not affected by the vulnerability.  Good. That means it is now safe to log in and change my password.  So that’s exactly what I did.  I opened my password manager (KeePass) and edited my email account entry.  I had the KeePass password management application auto-generate a new strong password for me and saved the entry.  I accessed my Gmail account profile, and updated it with this new password.

b.      If, like me, your Smartphone uses this primary email account (I use Android which uses Gmail for MANY things) you need to shut down the email application on the phone, restart it, and enter the new password.  This can be done through the application manager settings, or more simply by rebooting your phone.  I don’t have an iPhone, but I imagine the process is similar.

2)      I organize my passwords into groups/categories within KeePass such as “Credit Card Accounts”, “Billing Accounts” (like phone company, electric company, water company, etc.),” Social Media Accounts”, etc. I tend to have a different password for every site.  As a result, if any single one is compromised, only that site is affected (unless my email password gets hacked).

a.       For each of these, perform the same test for the HeartBleed vulnerability at http://filippo.io/Heartbleed/  BEFORE logging into any of the sites. 

b.      If the test indicates they are OK, then I go in and change my password.  If not, then I can either

                                                               i.      Change the password now to something I won’t use anywhere else, and change it again later when it is OK, or

                                                             ii.      Avoid using the site until the test comes back OK and I can safely change the password

Dealing with this bug is going to take companies a long time in some cases because they have so many servers to fix.  The key is to remain calm, patient, and remain aware of what’s happening with your financial accounts.  

One last comment:  PLEASE do not ever use the same password(s) you use at work for any of your personal accounts.

Managing Passwords for All Those Sites

I have a pretty good memory, but it’s short. I have about a hundred login IDs and passwords, and there is no way I can memorize them all.   That’s why I manage them all with a secure Password Management application called KeePass (http://keepass.info/index.html ).  

NOTE: KeePass is just one of many password management applications available.  You may certainly choose one that you feel suits your needs best.  I have found KeePass meets all of mine. 

The password management application allows me to have different IDs and strong passwords for different sites without memorizing them all.  I only need to remember ONE unique, strong password that I used to encrypt the password file.  KeePass (and most other password managers) includes a feature that will auto-generate a strong password so I don’t have to be creative on my own while choosing strong passwords. A strong password would be one that is at least 8 characters long with a mixture of at least one character from 3 of the 4 character types - uppercase, lowercase, numbers, and special characters.

 

Some people argue that having a different strong password for every site is too many to remember, and I agree, but using the same password for everything means that once that password is exposed, everything is exposed.  That’s why I use the password manager, and it’s also why I save the encrypted password file that the application generates in a folder that is sync’d with the cloud (DropBox, Box, whatever) so I can access that encrypted password file from any of my devices that will run the KeePass application (which is pretty much anything). 

If you don’t want a different strong password for every site, then perhaps you should break them down into categories so you have fewer to manage.  Your tolerance for risk is what will determine how comfortable you are with this approach.  I still highly recommend a unique and strong password for each site that contains, or has access to any of your sensitive data such as credit card numbers, bank account numbers, health information, etc. Here are some suggestions:

1)      Email – password must be strong and not used anywhere else because many sites use your email to provide you with a way to generate a new password if you forget one for some reason (with a password manager, that should be a thing of the past). This means if an attacker gets your email password, she/he basically has control over ALL your online accounts.

2)      Online Bank – password must be strong and not used anywhere else

3)      PayPal –password must be strong and not used anywhere else (PayPal has access to your bank account or credit cards, so you want to protect it well).

4)      Online Credit Card Accounts – EACH site password must be strong and not used anywhere else UNLESS the site offers what is commonly referred to as two-factor authentication AND you use it.  This usually takes the form of the site sending a special code via text or email that you must enter after you have entered your password.  It helps protect you even when your password is compromised, because an attacker cannot log in with your password without also having access to your phone or email account to obtain that second piece of information the site requires.

5)      eCommerce/shopping (amazon, eBay, any online store) sites – if you do NOT store your credit card number at the site, you can choose one strong password that is not used by any other category, and use it for each of your shopping sites.  However, if you store a credit card number at the site for quicker online purchasing convenience, then select a unique strong password not used anywhere else for each site.  Storing your credit card information on any shopping site increases the risk of that card number being stolen, so, despite the convenience, I do not recommend this practice.

6)      Household Billing Accounts (electric, gas, water, other auto-pay accounts) – choose one strong password for EACH site that is not used by any other category/site.  Like PayPal, you usually store a credit card number and/or a bank account and routing number at each site so they can receive automatic payments, which increases the risk of that card or bank number being stolen.

7)      Social Media (Facebook, Twitter, Instagram, Pinterest, etc.) sites could share the same password if you like, but remember that each site collects and saves personal information about you such as phone, email address, home address, where you attended school, birth date, photos of you which tend to contain hidden geo-location data in them these days (think GPS data used by navigation systems) so somebody can examine the photos and determine exactly where you were when the picture was taken.  Of course, this does not apply to photos that have been scanned from physical prints, so maybe Throw Back Thursday pictures might be exempt J

8)      Misc (news sites, blog sites, forums, etc.) sites – these are sites where you don’t share credit card, SSN, or other private personal information.  For these sites you could have one password you use for all as there is very little at risk (other than your reputation on a Forum if somebody impersonates you ;-)  )

As you can see, based upon the sample categories listed above,  without taking added risk  you really can’t reduce the number of unique passwords to just a few that you can easily memorize. 

Again, I have a pretty good memory, but it’s short. This is why I personally use a secure password manager to augment that memory. 

HeartBleed in a Nutshell

HeartBleed In a Nutshell

The news about HeartBleed is all over the media.  Advice is coming from many sources and includes many different approaches to dealing with it, and the explanations about what it is and how it affects you are confusing.   This is my attempt to help make things as clear as possible for end users; not system administrators who are busy fixing their servers..

What is it?

There is a bug in the computer code that we all rely upon to provide secure, encrypted connections between our computing devices and various websites so that the information we send and receive cannot be seen/read by anyone else. This newly-discovered bug in that software makes it possible for other people to “read” your usernames, passwords, credit card numbers, SSN’s, and anything else you have typed in to a website that uses this encryption code.  This is a VERY serious problem.

What should I Do?

First, assume ALL websites you visit, or have visited in the past 2 years have been affected by this bug.  The site owners may claim that they are not affected as of today, but they may have been affected until recently.  If they were affected, and fixed it, then anything you entered in their site for the past 2 years has been vulnerable to exposure.

Click on the little lock icon in your web browser and examine the website certificate for the date it was issued.

·         Internet Explorer:

o   Click the View certificate link

                  o   Make note of the Valid From date

·         Firefox:

o    Click the More Information button

o   Click the View Certificate button

o   Make note of the Issued On date

·       If the date issued is 4/7/2014 or later, then the site was probably vulnerable, but they have most likely fixed it.  CHANGE YOUR PASSWORD for this site, and MONITOR any credit cards, banking statements, etc. for unusual activity.

·       If the date issued is earlier than 4/7/2014, check to see if the site is vulnerable (see below) before logging into it.

  Check to see if a site is vulnerable:

      ·         There are several sites that offer free checks to let you know if a site is vulnerable or not. 

o   http://filippo.io/Heartbleed

o   https://www.ssllabs.com/ssltest/

·       Each of these sites allows you to enter the website address and will report back whether they believe it is vulnerable or not.  Be advised that these sites are pretty busy right now due to high traffic volumes.
·         IF a site is found to be vulnerable, you have a couple of choices:

o   Do not access the site until you can verify that it has been fixed

o   Change your password for that site to something OTHER than any password you use elsewhere.  NOTE:  If you choose this option, you will need to change this password AGAIN as soon as the site is no longer vulnerable.

Bottom line: 

·         Change your passwords and DO NOT use the same password on every site.  See my other post about Managing Passwords.

o   Use a (local; not cloud-based) password vault application to store all your passwords and user IDs so you don’t have to memorize them all.  KeePass is a good choice.  There are many others as well.  You just need to memorize one good, strong password for the vault.  Also, to make it easy to get at your passwords, you can place the password vault file in a file sync application such as Box, DropBox, SugarSync, etc., and then you can access your password file from all of your devices.

·         Make your email password(s) very strong, and DO NOT use it/them anywhere else

o   Why?  Because many sites, like banks, will allow you to create a new password if you forget yours by sending something to your email that you must follow up on so they can “verify” you are the real person.  If someone hacks your email, they can reset all your financial site passwords pretty quick.

·        Monitor your financial statements (bank accounts, credit cards) for suspicious activity, and if you detact any, report it immediately.