Heartbleed: Beating the bug

The alarming issue for advisors is that in the case of Heartbleed, there are few measures that would have saved anyone from the bug had it been exploited. Ultimately, it’s difficult to protect against a flaw that targets a website you use rather than your computer.

Nonetheless, there are some basic steps that you can take that may offer a measure of protection from other security bugs that will inevitably crop up in future.

The best way to deal with such a threat is to be prepared with good password management. Being ready to change passwords quickly is one way to bounce back in the event of a website being compromised. Using different passwords for each of your online accounts also can help to prevent the “domino effect,” in which one compromised password is used to access all accounts.

Another is to be aware and follow basic cybersecurity principles, such as being suspicious of emailed web links purporting to point to trusted financial services institutions. Heartbleed made it theoretically possible for fake sites to steal trusted sites’ digital credentials, then impersonate them.

The real onus falls on the companies operating the websites. Even if the sites are immune, those firms have a lot to learn from Heartbleed, says Will Dormann, vulnerability analyst in the CERT division of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh.

Just because companies now are patching their software to protect against this bug doesn’t mean those companies shouldn’t be vigilant, says Dormann: “Generally speaking, considering vulnerabilities to be rare, isolated occurrences is not wise.”

Defence-in-depth

The CERT division is, effectively, the U.S.’s first-response unit in cybersecurity issues, monitoring the Internet for vulnerabilities and situations exploiting them, raising the alarm when these are found.

“Understand that the software that you use does contain vulnerabilities,” Dormann says, “but have defence-in-depth measures in place to help minimize the impact of their exploitation.”

“Defence-in-depth” is a technique that mitigates risk by spreading protection across your digital infrastructure. Savvy organizations, instead of just putting antivirus software on their computers, may also install network sniffers to watch for suspicious traffic, implement a regular digital certificate and password-refresh policy, patch their software regularly and put firewalls at key points in their infrastructure.

Securities regulators in the financial services sector in Canada also are promoting awareness. The Office of the Superintendent of Financial Institutions (OSFI) published guidelines on cybersecurity self-assessment in October, breaking the process into six steps: organization and resources; risk and control assessment; situational awareness; threat/vulnerability risk management; cybersecurity incident management; and cybersecurity governance.

OSFI’s guidelines are voluntary, but they’re a good place to start for financial services institutions that want a health check on their internal cybersecurity controls.

The Canada Revenue Agency (CRA) became an unfortunate example of what happens when information-technology defence fails. The CRA, which had to extend the tax-filing deadline after shuttering its systems to cope with the Heartbleed bug, has revealed that 900 taxpayers’ social insurance numbers were compromised. A 19-year-old computer hacker from London, Ont., subsequently was charged in relation to that breach.

That a government agency was hit shows the severity of Heartbleed, which exploits a flaw in “open SSL,” a popular technology used to encrypt information travelling between websites and browsers.

Lock symbol

The small “lock” symbol often seen in a corner of your browser window indicates that your browser software is encrypting its conversation with a website. Any website using “https” instead of “http” in its website address bar theoretically should be protected.

But a process known as a “heartbeat,” in which a computer confirms its connection to a central server, can be flawed, allowing that connecting computer to obtain up to 64 kilobytes of data from the server’s memory. That may not be much data, but it’s valuable stuff, potentially containing usernames, passwords and even the digital certificates that the website uses to confirm its identity to the browser.

Stealing that extra data leaves no trace, which is important for two reasons. First, the thieving computer can keep stealing your data, gaining access to different fragments of server memory each time, thus collecting potentially large amounts of sensitive data. Second, we have no way of knowing who is attacked. Many websites and their users may have had their credentials stolen.

How badly hit was the Canadian financial services sector? When asked, large institutions, being a conservative bunch, either refused to answer or usually referred to boilerplate statements affirming their client data’s safety.

For example, the statement from the Canadian Bankers Association notes: “The online banking applications of Canadian banks have not been affected by the Heartbleed bug. Canadians can continue to bank with confidence. Banks have sophisticated security systems in place to protect customers’ personal and financial information, including encryption and other measures.”

That, however, begs the question: what happens when another major vulnerability is discovered. Vulnerabilities crop up regularly on the Internet, each seemingly scarier than the last. Heartbleed is the latest in a long line of major flaws – and it won’t be the last.

© 2014 Investment Executive. All rights reserved.