A security error (nicknamed Heartbleed) in the SSL protocol has affected a large share of internet services and devices. Small Improvements runs on Google data centers that were vulnerable to the Heartbleed error. All SI systems have been patched by Google by Wednesday, and we have reissued all SSL certificates on Thursday. We’re not aware of any actual compromise or breach, but as a security measure we have reset all user passwords on Friday.
Small Improvements is hosted on a service called “Google App Engine”, and unfortunately Google App Engine was affected by the co-called Heartbleed bug. On Wednesday Google issued a statement that all systems had been secured. We had taken a look on Tuesday when we first learned about the problem, and didn’t find the SI infrastructure to be vulnerable then already.
It was good news that our service was patched early on. But we still had to wait until Google officially announced that we’re safe before we could replace our SSL certificates, so that’s why it took until Thursday.
Having been vulnerable doesn’t necessarily mean that anyone actually stole any data from the SI systems. But due to the nature of Heartbleed it’s impossible to know. This applies to all the thousands of services affected by Heartbleed by the way. We believe it’s unlikely that someone singled out Small Improvements specifically, but it’s entirely possible that some attackers started harvesting data from the internet in general, and that these people are now sifting through whatever they could grab.
A key concern in data breaches are passwords and confidential data in general. We always store passwords in an encrypted form (using bcrypt) and all textual content it stored using AES-256, so it’s unlikely that anyone would be able to decode this data even if extracted from our servers. But due to the widespread nature of Heartbleed, and the fact that many people use the same passwords across websites, we feel that there is a significant risk of passwords stolen elsewhere being tried out on Small Improvements accounts some time in the future. SI admins have access to a lot of confidential data, but even non-admins store quite sensitive data in SI, and we don’t want any of it to get exposed.
We first intended to prompt our users to change passwords on their own. But people have other work to do, might be on vacation or simply not read our mail. So we then decided to clear all SI passwords at once on behalf of users. Passwords can be reset using the “forgot password” feature via an email. So while this bulk reset is slightly inconvenient for end users, it removes chances of a future hacking attempt.
Next steps for SI admins
We have taken security matters very seriously at SI right form the start of our company. We’re continuously adding internal security improvements, and have also shipped a couple of customer-facing security improvements recently. Our latest development is a 2-step verification feature (also known as 2-factor auth, or mobile token auth). This has been in private beta for a month, and it’s now entering public beta. We’d like to encourage you to try out the feature (and enable it at least for administrators). Also, you can use IP range restrictions to limit access to SI to your company VPN. And you should consider increasing the minimum password length for users so far that they are forced to use a password manager (and thus have no reason to reuse passwords across sites at all anymore).
In other news, we’ve also increased some internal security triggers to be a bit more “trigger-happy”. For instance, even a minor update of your browser (as per your user agent) will now require a user to re-login. We have plenty of plans for additional internal and external improvements, and we’re very open for your suggestions too!
Next steps for everyone
Although many vendors try to use very evasive language to play down the vulnerablity (“all patched, all is good”), we believe this bug should be taken very seriously by everyone. Many of your passwords, both for business and for private use, may have been compromised, and get used against you either now or some time in the future. You should reset all your passwords, starting with your most important services. We recommend keeping your very most important password in your head, and for all the non-critical passwords download a password manager today. It will allow you to use a new password on each service you use, limiting any future hacking impact as well.
Details at CERT: http://www.kb.cert.org/vuls/id/720951
The Heartbleed bug website: http://heartbleed.com/
A statement from OpenSSL: https://www.openssl.org/news/secadv_20140407.txt
Heartbleed Bug explained as a cartoon: http://xkcd.com/1354/