The document discusses the Heartbleed vulnerability and explains how password management tools like LastPass can help improve online security. It describes what the Heartbleed bug is, how it allows theft of sensitive information, and why unique, strong passwords are important to prevent attacks. The bulk of the document demonstrates how to set up a LastPass account and vault, generate secure passwords, organize accounts into folders, and access passwords across devices for a more secure digital life.
1. Technology Training
Special Training - Session #13
Heartbleed Explained
Getting Your Digital Security in Order with LastPass
May 8, 2014
William Mann, Borough of West Chester - CIO
3. What is Heartbleed?
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
cryptographic software library. This weakness allows stealing the information
protected, under normal conditions, by the SSL/TLS encryption used to secure the
Internet.
SSL/TLS provides communication security and privacy over the Internet for
applications such as web, email, instant messaging (IM) and some virtual private
networks (VPNs).
SSL = Secure Sockets Layer
TLS = Transport Layer Security
definitions
4. What is Heartbleed?
The Heartbleed bug allows anyone on the Internet to read the memory of the
systems protected by the vulnerable versions of the OpenSSL software. This
compromises the secret keys used to identify the service providers and to encrypt
the traffic, the names and passwords of the users and the actual content.
This allows attackers to eavesdrop on communications, steal data directly
from the services and users and to impersonate services and users.
5. What is Heartbleed?
With a Heartbleed
infected
server, information
like you see here can
be captured by an
attacker. This may
not look like
much, but if your
logon or account
information is
exposed in this way
are data is at risk.
6. What is Heartbleed?
Why it is called the Heartbleed Bug?
The Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer
security protocols) heartbeat extension (RFC6520).
When it is exploited it leads to the leak of memory contents from the server
to the client and from the client to the server.
7. Explaining Heartbleed
First the girl asks the server to indicate whether it’s still
online by telling it to say “Potato,” and indicates the length
of the word. The server responds with “Potato,” while
withholding all of the information surrounding “Potato,”
written out in a lighter hue in the server’s speech bubbles.
The hacker then asks the server to repeat the same task, but
instead replaces “Potato” with “Bird,” and indicates the
length of the word. The server complies.
Then, the hacker asks the server to say “Hat,” but instead of
noting that it’s a three-character word, she states that it’s
500 letters long. The server responds not only by saying
“Hat,” but also by leaking out the information around the
word. By doing so, it reveals sensitive server
information, including a “master key,” which the hacker
begins to jot down.
8. Protecting Your Information
Heartbleed is a reminder that securing your information is more important then ever
before.
And it’s going to get worse.
As we continue relying on technology for conducting business, communicating through
email, social media and shopping online cybercriminals are going to continue getting
smarter and more aggressive in how they try to steal personal information.
So we need to be even smarter….
9. Password Management
Password Management is becoming one of the best defenses for security flaws. Passwords
today need to be taken very seriously. This means having a good, efficient password
management plan for every account you have online.
Password Management in days past could be very complicated, time consuming and difficult.
However today there are many solutions out there that are easy to use, secure and either
free or very inexpensive.
Each of your accounts should have a strong
and unique password.
10. Password Management with LastPass
Last Pass has both a free account and a paid account.
The paid account is $12 / year and provided mobile app support which is alone is well worth
the cost.
With this password management tool you will be able to organize, manage and use unique
secure passwords easily.
In fact I use LastPass and I actually do not even know what the majority passwords are.
Now – that’s security!
11. Introducing LastPass
What I really like about LastPass is that you actually do not need to know all those
passwords and their app is available on every device you may choose to use.
You just need to know one password…. Your LastPass password.
12. Introducing LastPass
With this in mind, even before you sign up for LastPass be sure to think about a
good, secure password that you will never – ever forget.
13. Simple Passwords are so Yesterday
Passwords as we know them are going to
change in a big way very soon. Gone will be the
time when simple words like… “password” will
be used or accepted.
Now I may be getting ahead of myself but…
A better password strategy is using key phrases
that only you would know and no one else
could guess or that a cyber criminal could hack.
14. Passwords are Changing
Here are a couple of examples of using
“phrases” for your password.
Ex: 1 is “Captain Kirk and Mr. Spock are best friends!”
Your typed password would be:
Captain_Kirk_&_Mr._Spock_are_best_freinds!
Ex: 2 is “My favorite Place on Earth is Disney World!”
Your typed password would be:
My_Favorite_Place_on_Earth_is_Disney_World!
Passwords using phrases can be long, complex and easily remembered!
15. Embrace Password Management
This is important before we continue. Make sure you pick a
good password or phrase that you will not forget. It will also
be a good idea to print and save this password is a secure
location like a safe in your home or another secure location.
This will be the only password you will need if you use LastPass
(or similar password managers) regularly.
If you forget your LastPass password there is NO reset
mechanism.
16. Signing up with LastPass
Go to www.lastpass.com to sign up. Either choose “Download Free” or “Go Premium”.
Passwords are very important and your security is probably worth $12 / year.
17. Creating Your LastPass Account
I recommend that when you sign up
with LastPass you use your primary
computer or laptop. When you go to
create an account you will be
prompted to “Download LastPass”.
Do this.
You will then enter your email
address, a master password (the really
– really good one you already decided
on) and a Password Reminder that will
only help you remember it – just in
case.
18. Getting to Know Your LastPass Vault
The LastPass Vault is where you will
store, organize and manage all of your
passwords.
This vault will be also available to you
on all of your mobile devices if you sign
up for the Premium account
($12/year).
19. Organizing Your LastPass Vault
I recommend organzing all of your
accounts into folders.
You can see by my example I have all of
my accounts in catergorized folders
that I created.
Within each folder are my specific
accounts.
20. Organizing Your LastPass Vault
By creating an organized folder structure for your
accounts you quickly realize....
21. Creating Strong Passwords with LastPass
With LastPass installed you will now
notice an (*) next to all of you logon
fields for websites. If an account has
already been setup you can simply
select login because all of the fields
will be completed for you. You can also
setup an account for “autologin” which
will of course automatically log you in.
I recommend this only a secured PC
that is passworded to access you
Windows account or one that only you
have access to.
Make sure that when you install LastPass on your
PC that you install the “plug in” for all of the
browsers that you use.
22. Creating Strong Passwords with LastPass
Creating secure & unique passwords for
each account is the point here so you
will want to take the time to change
any passwords you have.
LastPass makes this very easy with the
“password generator”.
You can do this by selecting the * and
the “Generate” button.
23. Creating Strong Passwords with LastPass
If you use the default settings you will
see it will generate for you a strong 12
character password using several types
of characters.
Select Use Password then “Yes, Use for
this Site”.
24. Going Mobile with LastPass
On your mobile device you will open
the LastPass app first, copy the
password and then paste it into
account the that you want to access.
Although there is a physical – additional
step here – you only need one password
to remember – and use.
However, and this is important, all of
your passwords are complex and
unique.
25. How Does LastPass Work?
LastPass uses AES 256-bit encryption. The Advanced Encryption Standard (AES) is a
specification for the encryption of electronic data established by the U.S.National
Institute of Standards and Technology (NIST) in 2001
All sensitive data is encrypted and decrypted locally before syncing with
LastPass. Your key never leaves your device, and is never shared with LastPass.
Your data stays accessible only to you.
MQ9=5khD<YWZ&+5
This is how each of your passwords should look.
With LastPass you can actually do this – and it’s easy.
26. LastPass Demo
Now we will walk through how to use LastPass. Please ask questions as we go along.
www.lastpass.com