Heartbleed: What you need to know

No Heartbleed No doubt you’ve heard about the Heartbleed bug affecting countless websites and devices over the past week. Reports of the bug are many, yet information about how it works and what you can do to protect yourself can be difficult to extract from the widespread media response. Here we’ll take a brief look at what Heartbleed is, how it works, and what you can do.

Not a virus, not a breach… so what’s in a bug?

Some of the confusion around Heartbleed is related to the semantics of computer security. If you have owned a personal computer in the last decade, you’re likely familiar with computer viruses that affect your computer’s performance by embedding themselves in your device’s Operating System (i.e. Windows, OSX, etc.) Major data breaches have also made it to the front page of news outlets more frequently in recent years as hackers target user information stored online. In December 2013, Target announced a breach where millions of credit card numbers were stolen. Sony had a similar breach back in April of 2011 where over 77 million accounts were compromised.

Heartbleed is neither a virus, nor a major breach. Unlike a virus, there was no software written with malicious intent. And yet, unlike a major breach, this was not a planned, organized effort to gain access to information. It is actually a flawed piece of code in OpenSSL.

SSL stands for Secure Sockets Layer, a computing protocol designed to encrypt and protect information. This technology was developed so that information could be sent and received privately, without tampering. OpenSSL is just one implementation of the SSL technology, and it can be used to protect data transmission on websites, emScreen Shot 2014-04-15 at 12.18.20 PMail servers, chat servers, virtual private networks (VPNs), and more. You may notice a lock icon (see image to right) followed by https:// in your web browser’s address bar when you visit an encrypted website. The s is short for secure and these both signify that the connection is encrypted. Not all websites use encryption, and not all websites employ OpenSSL to achieve encryption. Still, roughly half a million websites use the OpenSSL version that is vulnerable to the Heartbleed bug according to Netcraft’s April 2014 Web Server Survey.

What’s the danger?

So where exactly does this vulnerability occur in OpenSSL? That is as humorous as it is terrifying. Here’s the vulnerable code:  “memcpy(bp, pl, payload);”

Did you catch that? Let’s look a little closer.

Heartbeat to heartbleed

Heartbeat is a term used to describe a connection check done between a server and a client. For context, imagine you are connecting to a server (i.e. a website). The client (you!) will send a heartbeat message to the website, and the website will send it back to you. This response notifies the client (again, that’s you) that the connection is still open and functional. The heartbeat message is useful because it prevents data from being transmitted when the connection is lost, and unnecessary connections can be closed.

If you look again at the vulnerable code “memcpy(bp, pl, payload,)” that’s the heartbeat. The payload part of that code can be manipulated to ask servers for extra information (e.g. usernames, passwords, and other information that was supposed to stay encrypted.) That means a hacker could use the common heartbeat function with a website you’ve visited in the past and exploit the Heartbleed bug to pull back extra data — data that could contain your sensitive information!

The web comic XKCD came out recently with a informative — and humorous — visual take on it. Gizmodo has a far more detailed, but still very understandable, technical overview of the issue.

What should I do?

It is recommended that you change your password on affected sites after they have been patched. Changing your password does not address the underlying vulnerability, so be sure websites have implemented the fix before you make the change.

Mashable has compiled a useful “hit list” of popular sites where you can verify whether or not you should change your password. Additionally, LastPass has created a tool where you can input a website URL for vulnerability assessment.

You can also review UCSF’s Heartbleed bug information where they mention UCSF MyChart, Mail@UCSF, and MyAccess sites are not vulnerable.

Is my phone or tablet affected?

Apple released a statement last Thursday that they are not employing OpenSSL as the method of authentication for their iOS and OSX platforms, or other “key web services.” You do not need to change your AppleID password unless you use the same password for another service that may have been compromised.

Google’s Android operating system has not employed OpenSSL since version 4.1.1, but Google web services which require login (GMail, Google Docs, etc.) were vulnerable to the bug. You should change your Google account password. Additionally, if you are running Android version 4.1.1, you should check if an update is available for your device.

So many passwords! How to keep track?

We all know the rules. Don’t use the same password twice, make them complex, and change passwords frequently. In the real world, managing so many passwords is incredibly difficult. Remembering these passwords on the go with your mobile device is that much harder.

There are, however, several password managers available that can help with this daunting task. The aforementioned LastPass is a very popular web-based password manager with free and premium options available. The premium option gives access to mobile applications at $12 a year. My personal favorite, KeePass, is an open-source application available on most platforms. You can gain mobile access to your KeePass encrypted database by hosting it in a Cloud Storage provider like Box, Dropbox, Google Drive, etc. LastPass, KeePass, and other password managers can help keep you safe by storing unique, complex passwords in a secure place.

Additional Information

The Heartbleed official site is http://heartbleed.com, and you can find some less technical information in this overview at Gawker’s Non-Geek’s Guide. WIRED  also has an eye-opening review of how this happened and the lesson we should learn from it. Be safe out there, folks.

A Review of Coursera for iOS

Within the last few months, Coursera — the online education platform that offers free classes from UCSF and other top universities — released a mobile app for both iPhone and iPad (iOS 7 only). Meant to supplement, not replace, the full desktop experience at coursera.org, the app offers basic features that make it easier to keep up with Coursera classes on the go. Use the app to:

  • view and sync video lectures
  • take course quizzes and other assessments
  • view the course syllabus for your class
  • search for and enroll in other Coursera classes

Coursera for iOS basic features

Continue reading

BeyondPod: Podcasts for Control Freaks

BeyondPod is a popular Podcast/RSS manager for Android that, on the surface, works like you’d expect any application in this category to function. Find enjoyable podcasts, subscribe, listen, repeat. With a crowded, competitive field BeyondPod Logoof podcast managers and podcatchers available for virtually every platform, BeyondPod distinguishes itself from competitors by offering users the ability to tweak and refine the individual user experience. The incredibly robust options and settings menus hiding underneath the primary user interface can be initially overwhelming, but the degree of customization offered by BeyondPod is exactly why it deserves to be on any Android user’s homescreen.

Continue reading

It Takes a Village: Building the NeuroExam Tutor App

The UCSF NeuroExam Tutor app seeks to solve a problem that has faced medical educators for decades: medical students are uncertain and timid when performing the neurological exam. Educators suppose that this is because of the complexity of the nervous system and the multitude of ways to investigate its functions. However, it is even more troubling that this insecurity continues into the careers of clinicians from most specialties. To address this problem, UCSF neurologists Susannah Cornes and Vanja Douglas proposed a gentle introduction to the neurological exam over the four years of medical school. This innovative approach could not have been realized without the partnerships that lead to the creation of an iPad app.

app home screen

Continue reading

App Santa is Coming to Town

If you’re an iOS user, you might want to peer into this Santa’s sack. For a limited time, app-santaseveral mobile app creators are offering discounts on a selection of popular apps, many of which can help with productivity and idea capture. If you have a break over the holidays, it can be a perfect time to explore a new app or two before the hectic pace resumes. Boost your effectiveness in 2014!

Docphin on Android

docphin

Looking for a tool to help you keep up with medical news and research while you’re on the go? Founded in 2010, Docphin is a free platform that personalizes the literature to make it quick and easy for you to hone in on the content from the sea of thousands of medical journals and news outlets that’s most relevant to you and your patients.

Let’s see what the Docphin experience looks like on an Android.

Continue reading