This week, a major security bug called “Heartbleed” was revealed. It is being called “one of the biggest security threats the Internet has ever seen” and has affected many of the biggest sites on the web. Here is a quick summary of what Heartbleed is all about and what you can do to protect yourself.
What Is The Heartbleed Bug?
The Heartbleed bug is essentially a hole that allows attackers to read information that s being passed between two sites via a “digital handshake”. When that “handshake” happens and information such as your username and password is exchanged, the OpenSSL cryptographic software is supposed to keep everything away from those who may be trying to gain unauthorized access to your account information. As one writer put it, SSL is “kind of like sealing a letter in an envelope before sending it through the mail.”
Due to this hole, bad guys can now get around the encryption and read that sensitive data. There is a fix, but it is now up to website administrators to implement the fix so the hole is now plugged.
Am I Affected?
The short answer: yes. The OpenSSL protocol that the Heartbleed bug exploited is very common software. In fact, it is estimated that the bug infects roughly two-thirds of the web, including big sites like Yahoo, Facebook, Gmail and many others. As one of those responsible for discovering the bug stated: “I don’t think anyone that had been using this technology is in a position to definitively say they weren’t compromised.”
The bigger problem is that this vulnerability has been around for over two years, despite being announced only this week. So there has been ample time for hackers to find the holes and gather your personal information.
What Should I Do?
While you’re probably bugged fairly often to change your password, this is really the time to do it – for everything from banks to social accounts. Like most users, you probably use the same or similar password for most of your accounts. With this kind of a bug, once hackers have the password for one account, they can then use that same password to gain access to other accounts.
But here is the issue: many sites are still patching the hole, so changing your password before the hole is fixed won’t do anything. So, the best thing to do is to change passwords once the site has indicated that the site is fixed and secure.
Here are the steps you will want to take to lock these passwords down:
- Come up with a brand new password that is a mix of numbers and letters that is not a common word or phrase;
- It is always best to have different passwords for each account, but if that is too much, try creating different groups of account accounts (social, banks, etc) so if one password is compromised, the damage is limited;
- Wherever possible, sign up for 2-step verification, which sends a confirmation code to your mobile device when logging in;
- Use services like 1Password or Lastpass to store and protect your passwords used when surfing the web.
While changing passwords is a pain, it is far easier than dealing with a compromised account, lost funds or charges on your credit card. Please take a few moments and change your passwords and implement the suggested security measures to protect yourself.