Heartbleed? You're too late.

Traenk offers a friendly reminder that this is shape of things to come...

There are a lot of Heartbleed articles.  What should YOU do?  If you are concerned about Heartbleed, worried by all of the vague articles giving conflicting advice, at times; how do you decide what to do?

It's too late.

Is Heartbleed the worst of all possible exploits?  I don't know.  Research the vulnerability history for OpenSSL at the Open Source Vulnerability DataBase (OSVDB.org).  This is not the first time both the libraries and the cryptography generation tool has had exploitable vulnerabilities.  And research your favorite website and what attacks it's survived.  Now go the next step:  research the LAMP architecture and past exploitations done with it.

Heartbleed is just one of so many security problems dogging eCommerce.  Today, it's Heartbleed.  Tomorrow, it will be a total compromise of a strategic PKI's CA and Root certificate.  The day after?  We'll hear about another successful compromise of a big company with which you do a lot of business.

And you're wondering what to do about Heartbleed ONLY?  Tommy Lee Jones said it best, "There's always an alien battle cruiser or a Korilian death ray" [Men in Black].  There's always a security calamity somewhere.  What matters most in times of exploited systems are Basics, Security Basics.

1.  Count on the information to be vague, contradicting, hyperbolic, and quizzical in the first hours after a big exploit's announcement.  With little explanation for the recommendations.  And less actual data.

2.  What exactly are you going to do?  What can you do? 

What do you control at many websites?  Your password(s), your challenge questions, and the enabling of your account (and ID name).  Understand?  Most sites tell you to change your password.  Is that enough?  No.  Who else but Traenk warns you about your challenge questions and guarding that they're not compromised? 

Here's another bit of advice you only get from me, on this blog:  IF an email account is used as part of password change verifications OR is used to print what your password is at another site--Wham!  You will need to change the password at many more systems, even if other bloggers claim a website is invulnerable to the Heartbleed exploit.  Testing, schmesting, it's the inter-relationships that count most.

3.  You need to do two very important things:

• Think through all the inter-relationships among all your accounts, mail systems, password verification practices, and yes, client software that is vulnerable to this exploit.  There are a lot of secondary and tertiary problems caused by this massive OpenSSL failure.  Predict those systems that will need your security fixes applied fast.  And if, like me, you're just confused by all of the relationships, read my next point.
• Be flexible!  The Internet is inter-related.  You need a plan to change out all passwords and challenge questions globally.  You also need a plan to create and track different passwords for different sites--to avoid a cracked password at one site toppling all other sites and their security.

It's too late.

The time to be patching OpenSSL started long ago.  The date for varying and tracking several strong passwords was twenty years ago, roughly at Internet birth.  And if your security plan and response weren't activated by the Target hack, what more do you need?  Heartbleed-like impacts to your security are only increasing.

Meanwhile, how does such an obvious flaw make it into OpenSSL, where it remains for years?  That's the response I'm interested in.

jt