Protecting Yacht Computers From the Heartbleed Bug

Have you heard of the Heartbleed bug? It’s something that everyone with yacht computers-actually everyone who uses any type of website requiring a password-should know about.

But promise me one thing: after reading this article and links to other sources, act on your new knowledge and change your affected passwords. Your attention to the Heartbleed bug now may save you lots of time and headaches in the future.

What is the Heartbleed bug?

The Wikipedia Heartbleed page says it best:

"Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed.

At that time, some 17 percent (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug "catastrophic". Forbes cybersecurity columnist Joseph Steinberg wrote, "Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."

What can you do to protect your yacht computers from Heartbleed?

My friend Doug Greenwood, creator of the excellent North Tahoe Computer Coalition Facebook page, posted this information about the Heartbleed bug, along with useful links, on April 9, 2014:

The bug was discovered by Google's security team and announced yesterday, and they are saying this bug has been around for 2 years!

Good news is the fix to the encryption software is available, and many sites are starting to apply the patch. Changing passwords will be very important. However you need to be sure the websites have applied the fix before changing your password. i.e. they need to announce the fix has been implemented. Then you must update your password.

OK, so this is important. As Doug says, you need to make changes in this order:

1. Make sure the websites you use have applied the fix.

2. Change your passwords.

The order is important because if you change a password BEFORE a website is fixed, you’ll just need to go back and change it again after the fix is made. And since creating, recording, organizing and recalling new passwords once is such a hassle, don’t make yourself do it twice for each website.

It's also worth reading this article on Papersowl: The Heartbleed Hit List: The Passwords You Need to Change Right Now  - check if the websites you use are on the list. 

How should I create and manage new passwords after Heartbleed?

For advice on creating strong new passwords, read my post from a few months ago, How Hackable Are Your Vessel Computer Passwords? It contains an embedded video on how to create hard-to-hack passwords for your websites.

But how can you manage your passwords once they are created? Andy Levy, Great Circle Systems’ Chief Technical Officer, uses a website called LastPass.com to manage his many passwords. Andy likes it because, “LastPass keeps track of all my passwords—I just need remember my LastPass password. It lets me choose the level of security I want to apply. And I use the site’s password generator so they are difficult to hack.”

LastPass offers a free password management service. Or for $12/year, you can get LastPass 3.0 Premium. “The only thing I worry about now,” says Andy, “is ‘What if LastPass gets hacked?’ But at some point, you’ve got to just move on and trust that your passwords are in reliable hands.”

Of course, there are many other free and paid password managers out there. And there’s always the option of using a pen and paper to manage your passwords. In fact, I recently heard a computer security expert describe her low-tech method of managing her passwords. She simply keeps the passwords written on a piece of paper in her wallet. She figures that if her wallet is stolen and someone reads the bit of paper, they won’t know what sites they are connected to, anyway. And keeping her list of passwords offline in her wallet “vault” gives her peace of mind.

Is my Android device safe from Heartbleed?

As I'm writing this article, this has been delivered to my email inbox from the Huffington Post: Heartbleed Bug Puts Millions Of Android Devices At Risk. The article says:Numerous devices running older versions of Google’s Android operating system may be at risk of the high-profile bug, according to Marc Rogers, a security expert at the mobile security firm Lookout.Rogers told The Huffington Post that people using Android version 4.1.1 should avoid sensitive transactions on their mobile devices because a hacker could exploit the Heartbleed bug to steal their data.

“The whole device is vulnerable, so you should be cautious about the kind of sites you use,” Rogers said in an interview. “I’d be cautious about doing banking on your phone.”

The article provides this link to this free Heartbleed Dectector App from Lookout that you can use to check if your Android device is running an operating system that is vulnerable to the Heartbleed bug. I tried it and found that my phone is "affected, but not vulnerable." According to Lookout, that means that although my phone has a vulnerable OpenSSL version, the feature where the Heartbleed bug lives is not turned on. So it can't affect my phone. Read more on the Heartbleed Detector FAQ page.

So now that you are up to date on the Heartbleed bug, please tend to your passwords and Android devices NOW!

Would you like to have a vessel technology expert assess your computer and communication systems and make recommendations? Click here.

--------------------------------------
Great Circle Systems was founded by Scott Strand and Andy Levy in 1999. Scott and Andy are uniquely qualified to serve the luxury yacht industry, combining extensive software development and network system integration experience with many years of hands-on yachting experience. Over the years, Scott and Andy have assembled a team of experienced and skilled yacht engineers and network specialists. Together, the company has built an impressive array of products and services to assist in the construction and operation of vessels 30 meters and larger. These products include Triton Administrator yacht management software and the NAS3000 Internet management appliance. GCS has provided IT solutions for many of the most beautiful yachts in the world, including M/Y Cakewalk V, M/Y Lady Sheridan, M/Y Jemasa, M/Y "A" and M/Y Katara.