Webcomic xkcd does an excellent job of explaining the “Heartbleed” bug:
If you know something about programming this is bug is the result of dynamic memory and lack of bounds checking. It allows the server to return the contents of RAM that may include information like passwords, login ids, etc. that are normally not visible externally. If you’ve recently logged in your information could easily still be in RAM and vulnerable but if you haven’t it’s likely nothing of yours remains. It’s all dependent on whether or not someone has determined a particular server is vulnerable and exploited the bug.
So what should you do? First, check this list on Mashable. If there’s a site you use frequently and it’s marked as vulnerable, change your password now. Otherwise, you can probably take your time but still change it. Consider using a password manager like 1Password or LastPass to make creating and managing passwords easier. Turn on multi-factor authentication where available. Also consider a personal password expiration policy. Yes, I know it’s a pain but if you use a password manager generating a new password is painless.
Security isn’t a “set it and forget it” thing, it’s an ongoing process.
I’ll be honest, I haven’t been paying much attention to the Nest smoke alarm because, like its thermostat, it solves a problem I don’t have. But a lot of people have been attracted to the devices because of their emphasis on design and user interface. After all, Google didn’t buy the company because it wanted to get into the thermostat business.
Unfortunately, in the case of the smoke alarm that emphasis might have blinded them to more practical matters. The alarm was designed to be silenced when you wave your hands underneath it, thus eliminating that annoying issue that often crops up when you’re cooking something that gives off even a little bit of smoke. But Nest forgot something pretty important, people have a tendency to wave their arms around when there’s a real fire. To their credit they’ve temporarily halted sales while they investigate. But now here comes the creepy part.
They remotely turned off the hand waving sensing on any alarm connected to the Internet via WiFi. In other words, Nest (and now Google) has the ability to control your smoke alarm without your knowledge. Sure, this is a situation where doing so makes perfect sense, but as I’ve often said if Nest can access your smoke alarm over the Internet, someone else can as well.
You have to admit the NSA is nothing but thorough. We all know they’re grabbing data from the Internet and cell networks and while that might lead you to believe you’re safe if you’re not actually connected to a network, you’d be wrong. Very wrong. The NSA has spy devices with built-in radios that can send data from unconnected computers to listening stations miles away. While this requires physical access to the computer, once installed they are undetectable unless you’re looking for an RF signal. They claim to only be using this technology against foreign targets but at this point does anyone believe them?
60 Minutes used to be on the forefront of investigative journalism. Just mentioning the name would strike fear in the hearts of anyone associated with dirty dealings. Now, with this Sunday’s thinly-disguised propaganda piece on the NSA, 60 Minutes has abandoned all pretext of being investigative.
BGP, the Border Gateway Protocol, has a flaw that was discovered in 2008 that allows attackers to reroute your data without you knowing about it. In fact, someone’s been using it to send traffic to Belarus and Iceland before sending it on to its original destination. It has to be assumed that it’s being copied and then used for has to be assumed as less than innocent purposes.
As part of my Information Security training, the architecture of TCP/IP and the OSI model were covered. They introduced TCP/IP (the basis of the Internet) as optimized for access, not security. Never has that been more apparent than now, with what the NSA has done with the Internet backbone via their QUANTUM program.
You may not have realized that every 3G/LTE phone runs a second operating system specifically for mobile communications. This RTOS (Real-time Operating System) is specific to the chipset running the phone and radio and for the most part has not been reviewed for security. Researchers have identified potential attacks against these subsystems but nothing widespread is known to exist at the moment.