You may have heard on the news or in other media about a recent internet-security vulnerability known as “Heartbleed.”
The Episcopal Diocese of Fort Worth does not have the capability or the desire to become a tech-support provider or a primary source of internet-security information.
However, we are taking several actions with our own applications in order to secure them against this vulnerability, and we feel it may be helpful to provide information about what we are doing and why, and what you may need to do as well.
You should consider this message as a piece of friendly advice, just like when your parish office reminds you to change your clocks twice a year. It represents our best understanding of the problem and how it might affect you, but we are not a tech company or a support hotline.
What is Heartbleed?
Heartbleed is a security vulnerability.
Heartbleed is not a virus, a program, or a specific attack that has taken place. It is a coding bug that may allow for a security breech.
To put it simply:
When servers (computers) on the internet transmit information to each other, that information is encyrpted. There are a number of different programs and utilities that are used for that encryption.
The bug affects one of the more popular ones, and allows third-party entities to see data as it is being transmitted from one computer to another.
What is the effect of this bug, in practical terms?
It is possible that personal or private information has been leaked or compromised.
Almost any type of information that has been saved, stored, or transmitted on the internet is potentially at risk, including:
- login credentials (usernames and passwords)
- email contents
- financial information
- credit card numbers
Even information in systems NOT affected might be vulnerable, because of our personal email habits.
FOR EXAMPLE: There is no evidence that the PayPal service is vulnerable. However, if you have ever emailed your PayPal login credentials to another person, it is possible that those credentials have been compromised, because someone may have seen that email. This is a very common problem, as we all tend to email personal login credentials to various web services.
Has my data been compromised?
There is no way to know. You should assume that it has.
What is the risk to me if my personal information has been compromised?
It’s helpful to understand how cyber-criminals use this information, as that helps one to understand why you might not know that your data has been compromised
People tend to imagine a Hollywood-like scenario where a nefarious “hacker” breaks into specific accounts or particular computers. Unless you are a person of interest to the NSA or the Russian Mafia, that is VERY UNLIKELY.
The reality is much more mundane.
Automated computer programs (often controlled by organized crime syndicates) run massive attempts to gain information that is valuable. You can imagine this like a mining operation, digging up raw data. (The Heartbleed bug is a problem at this point, as it provides easy access to information that normally would be encrypted.)
After the data has been mined, it is packaged up and sold in blocks to anyone who wants to buy it (usually other organized crime syndicates). At that point it is used in all sorts of ways. Typically, it is simple theft: access to bank accounts allows criminals to steal money, access to credit card information allows criminals to spend money directly. Information such as email addresses is sold to spammers (those BUY VIAGRA emails you get all the time), and some credentials are recycled back for use in attempting to get more information.
A lot of the information mined by these operations is bad data. Much of it is malformed or just wrong. There is also a time lag between the initial mining of data and someone finally attempting to use it to steal actual money from an actual person. And even then, not all compromised data gets used. (Criminals are not any more efficient than any other people).
All of this means that it is possible someone could gain access to (for example) your email account credentials, but there might not be any attempts to break into your email account for days or even weeks. (By which point, hopefully you have changed your email password.)
It’s also good to realize that “personal” non-financial information, while potentially vulnerable, is not usually valuable to the type of people and organizations that mine this data. These people are looking for cash, or ways to expand their ability to get cash. They are not looking to find out who you gossiped about, what your employment plans are, or what your recent health crisis is about. Information you would tell your accountant is at risk. Information you would tell your therapist is irrelevant.
Has the bug been fixed?
However, the fix has to be implemented.
You can imagine it this way: someone has invented a better lock for your front door, but it doesn’t help you unless you install the new lock in your house.
Most major providers of internet services (websites, online stores, banks, email providers) have already implemented the fix. There are likely to be some stragglers out there, but any big-name service you use has probably already fixed the issue.
You can see lists of affected sites, and their current status:
Do I need to do anything personally with my computer or software to implement the bug fix?
Probably not, and if you are affected you likely know about it already.
Do I need to do anything at all because of this bug?
As stated above, you should assume that your data has been compromised. You should change the passwords for all accounts for all services you use online.
All of them.
Help and guidance concerning secure passwords can be found:
Additionally, you should check on the status of any financial accounts which may be accessible from the web. Change your passwords and follow any advice from any service providers.
Finally, it is a good idea to do periodic online security audits. Since most of us do not do these as regularly as we should, now might be a good time, regardless of any actual threat from this bug.
Information about doing a personal online security audit can be found:
Was the Episcopal Diocese of Fort Worth vulnerable?
EDFW email and several other productivity applications (Calendar, shared documents, etc) are provided by Google, which seems to have been affected. (Now fixed.)
Our website runs on a popular shared hosting provider which may have been affected. Additionally, we use Github to manage our source code, and that service seems to have been affected. (Now fixed.)
We send large-group emails and other information via a service called MailChimp, which seems to have been affected. (Now fixed.)
We use several social media services (Facebook, Twitter, etc). Some of these seem to have been affected, and others not. Even if compromised, none of these present any real security concern. (The ones affected have been fixed.)
We use PayPal for our credit card processing. PayPal was not vulnerable.
I have recently used my Credit Card to pay for something on EDFW website. Is my Credit Card information at risk?
Not from that.
We use PayPal for our credit card processing. PayPal was not vulnerable, and so has not been directly affected.
We are taking steps to make sure our PayPal account is not vulnerable to secondary attacks (from people gaining access via information gained in another compromised service).
However – there is no reason to believe that any credit card information from individual’s using one of our payment forms has been compromised. (Even if someone gained direct access to our PayPal account, they would not have access to the Credit Card information from people who have paid money to us.)
What Episcopal Diocese of Fort Worth data might have been compromised?
It’s hard to know.
As mentioned above, email contents and account credentials are a possibility.
There is no evidence that any personal financial information (credit card numbers) has been vulnerable.
Moreover, there is no direct evidence of any specific attacks or data leaks related to Heartbleed.
We recognize that people use email for a great deal of personal communication, and that church-related email accounts are often used to send and receive email of extremely personal or delicate information.
As mentioned above, even if a malicious attacker were to gain access to your personal email, that is not the type of information which they are looking for or can use. To make an analogy: a pickpocket is not interested in the love letter you keep in your purse, just the cash.
You should take all due precautions to secure your login credentials and account information, especially finance-related, but there is no need to be concerned at this time about leaks of private, sensitive, or personally embarrassing information or any other issues related to pastoral care.
What action is the Episcopal Diocese of Fort Worth taking?
We have upgraded all of the software that powers our website, even software we do not believe it has been directly affected.
We are changing login and verification credentials for our services, and our instructing users of our services to do the same.
What should parish administrative staff do?
The issues identified above are essentially the same at the parish level as they are at the diocesan level. If you are responsible for managing your parish’s website, email, or other online services, you should make sure they are upgraded and up to date. You should also change your own login and account credentials for all services and encourage others to do the same.
Simplified summary FAQ
What’s going on?
The internet is a bunch of computers that talk to each other.
Computers run software programs to enable them to talk to each other.
A bug in one of those programs made it possible for people to eavesdrop.
The bug has been fixed.
How bad is it?
The bug was very widespread.
However, that does not mean that every at-risk computer has been violated.
(If all the locks on all the front doors in the world suddenly stopped working, not every house would be burglarized.)
What should I do?
Change all your passwords.
Are there any cartoons that can help me understand what is going on?
Yes there are!
For more complete technical details, visit the Heartbleed website published by the discoverers of the problem: