April 10, 2014

You should change your Internet banking passwords *now*

Naturally at 1300 Web Pro we keep a close eye on Internet security advisories. At 5AM yesterday I read about the scariest vulnerability I have ever seen. I am writing to you this evening to explain, in laymans terms, what this "Heartbleed" security issue is all about and what you (definitely, as a matter of priority) need to do about it.

Background

A webserver is a specialised computer that sits on the Internet waiting to exchange information with a website visitor. When you pull up Internet Explorer and type in www.1300webpro.com.au, our webserver gives you a bunch of text, images and other information that collectively form our “website.”

When visiting a website that requires you transmit sensitive information, such as an Internet banking portal or online shop, your browser enters a secure browsing mode. You may have seen a padlock icon or green bar appear when using these types of websites. In this secure mode, your credit card details and login passwords are encrypted and become illegible gobbolygook to anyone that cares to look. Only the owner of the website possesses the ability to decrypt this gobbolygook back into your credit card number or password.

At least that’s the way it’s supposed to work

Two years ago, a routine upgrade was released for a piece of software that is run on many, many webservers that handles the encryption and decryption of sensitive information. Unbeknownst to anyone, that upgrade contained a bug – an error in the programming code – that has only very recently been discovered.

This bug makes it possible for ‘bad guys’ to decrypt the illegible gobbolygook that is being transmitted between your PC and a secure website and read it in plain text. It’s that simple, and it is very scary.

The good news

Needless to say, people that write the vulnerable code had a fix available very quickly. In fact, as the vulnerability was discovered by security researchers at Google, the fix was prepared before the vulnerability was even made public. Operators of Internet sites, like 1300 Web Pro, also acted quickly to identify any at risk servers and apply the fix to them. At 5AM yesterday when I heard about the issue, Google had already fixed their servers (which had been vulnerable). Yahoo had not fixed theirs when I originally checked yesterday AM, but by close of business they had caught up. All of the major Australian banks appeared to be protected early yesterday.

The bad news

Unfortunately the bad news far outweighs the good.

1) This issue has existed for more than two years. Google’s internal security team identified and announced it. What we don’t know, and probably never will, is whether ‘bad guys’ discovered this issue first and have been quietly stealing our passwords for years.

2) This issue is extremely simple to exploit. Most security vulnerabilities require a reasonably high level of technical competency. This one doesn’t.

3) This issue doesn’t have any limiting pre-conditions. Often the ‘bad guys’ need to know something about the network they are targeting, need some initial access to the network or system they are targeting, et cetera. In this case, they don’t.

4) Most of the time, a ‘bad guy’ exploiting a security vulnerability leaves tracks. In hindsight, we can see they have been there. In this case, they can safely observe from afar without leaving any sort of trace.

5) Applying the fix isn’t adequate to protect users of webservers that were vulnerable. Additional steps must be taken, such as reissuing the digital keys that unlock the gobbolygook. I expect that whilst lots of system administrators are being proactive (like we are), that there are also many system administrators that are not being proactive.

What you need to do

1) You need to change the passwords for your Internet banking sites, and any other websites you wouldn’t like some ‘bad guys’ to access and impersonate you.

A good rule is to use a different password for Internet banking than for any other websites. If you use the same password for your Commonwealth Netbank as you do for Facebook, if your Facebook password is compromised then, ipso facto, your Commonwealth Netbank password is too – even if Commonwealth didn’t have a problem to begin with. Always use a different password for Internet banking that you don’t use anywhere else. Systems like Lastpass make it easy to use a different password for every website you use and are a great option.

2) Monitor all of your Internet banking carefully and be on the lookout for any unauthorised transactions.

Not too hard, right?

Were sites hosted by 1300 Web Pro vulnerable?

Prior to applying system updates, we tested our systems and did not detect any issues. We also found that the versions of the relevant software running on our servers were not affected. We have no reason to believe our systems were affected.

However, we have undertaken a number of precautions to be safe including applying software updates and re-issuing digital certificates. We will be watching the situation carefully.

We do note that customers who have used the same password they use at our websites at an affected website may be compromised through that password.

Summing up

Simply put: the Internet has suffered a terrible security breach. The only way to protect yourself is to change your passwords and use dedicated, highly secure passwords for critical sites like Internet banking.

James Deck
1300 Web Pro
Phone: 1300 932 776
Web: www.1300webpro.com.au
Facebook: faecbook.com/1300WebPro

No comments:

Post a Comment

We'd love to hear from you. Please leave your comments, topic requests, and questions.