You still aren’t safe from Heartbleed 2 weeks in
NEW YORK — In the post-Heartbleed world, assume your online communication isn’t secure unless proven otherwise.
It sounds alarmist, but it’s true. Email, social media, banking — all of it is at risk.
The Heartbleed Internet bug is particularly nasty because it’s pervasive. It affects apps, hardware and websites.
Two weeks on, companies are still moving to address the bug:
Apple didn’t release a firmware update for its AirPort routers until Tuesday. Dell’s SonicWALL app, which lets you connect to corporate networks from home, just got patched Monday. QNAP updated the firmware for its Turbo NAS data storage centers last week. Many of Cradlepoint’s 3G and 4G modems, used by businesses, weren’t patched until recently.
On April 17, there were still 150 million vulnerable apps running on Android smartphones, according to cybersecurity provider FireEye. All must be updated.
“The fallout from this is likely to continue for weeks and months to come,” said Tom Brennan, a computer security expert who developed a free add-on to the Firefox Web browser that detects if a website is vulnerable.
To be safe from Heartbleed, you need to know that everything you use to connect online is updated and fixed: smartphone apps, Wi-Fi routers, office servers, the websites you visit — and their servers too.
The risk is inherent in the complicated way the Internet works. Signing into your bank might bounce you to data centers around the globe. That’s why solving the Heartbleed problem is a herculean task that’s largely outside of your control.
All you can do is change your passwords often — all of them — and update your software to the latest version. And don’t trust any app, device, computer environment or website until those in charge specifically say they’ve patched the problem.
“At this point, the best thing the average consumer should do is simply pay close attention to vendors’ notices and apply any fixes,” said FireEye researcher Hui Xue. Then change all your passwords again.
But many companies aren’t making it easy for you to figure it out. Banks aren’t placing announcements on their website homepages to reassure customers they’re safe. Information about whether routers are vulnerable — and how to fix them — are located deep within the websites of Apple, D-Link and Netgear.
Rick Dakin, CEO of IT department auditor Coalfire, said websites should be alerting customers, and company IT departments should be informing employees about their own company’s situation.
“If you go to a website today, and they don’t have a statement on Heartbleed, I would be wary,” Dakin said.
It’s difficult to overstate the problem. Heartbleed isn’t a computer virus that automatically gets deleted by your computer’s antivirus program. It’s a flaw in the software devices use to talk to one another. And because these are all interconnected, it only takes one weak point to let hackers peek in. Even some versions of Symantec’s Norton AntiVirus software were impacted. Bryan Harris, a researcher at analytics software maker SAS, called it “a systemic issue” with a long, uphill road ahead.
So severe are the problems with OpenSSL, the encryption software that had the Heartbleed bug, that some are ditching it entirely. A Canadian computer programmer recently created another version of it, called LibreSSL, in an attempt to simplify and clean it up.
But even if everything seems patched, we’ll never know for sure, said Joe Touch, director of the Postel Center of computer research at the University of Southern California. New computer systems are often built relying on older ones which are no longer maintained.
“Like most bugs, there are some systems that will correct very quickly, some less so, some never,” he said.