Taking The Confusion Out of “Heartbleed”
This week, the internet, and all of online technology, was hit with one of the biggest potential security breaches ever.
Computer security expert Bruce Schneier has weighed in on Heartbleed, the security flaw that opens up much of the Web to hacks.
In a post on his personal blog, Schneier calls Heartbleed a “catastrophic” attack that could allow hackers to easily grab user names and passwords.
“On a scale of 1 to 10, this is an 11,” he writes.
Heartbleed is a flaw in OpenSSL, or the standard encryption many sites and online services use to keep your username and password encrypted. This is where the “s” in HTTPS comes from. In theory, a hacker can use the Heartbleed flaw to access passwords, encrypted communications like instant messages, and even credit card information.
Schneier also speculates that someone could have intentionally added the Heartbleed bug to OpenSSL, but it’s more likely it got in there by accident.
The problematic code is used by 2/3rds of all websites using SSL/HTTPS on the internet today. This includes banking sites and more. If you want to learn more, check out this great Security Now podcast with security professional Steve Gibson discussing Heartbleed.
XKCD web comic has a simplified graphic of how the bug works.
In very simple language, this means:
1) Sites that appeared to be using HTTPS to properly protect your passwords were potentially not very protected.
2) Every site affected – which is most but not all of them on the web that use SSL (HTTPS) – will have to update it’s server certificate and THEN you will need to change your password.
3) If you rushed and changed all your passwords, you’re likely going to be changing some of them again once the servers are patched. Updating before sites are patched can actually give the bad guys your new password info.
4) There are a lot of small sites, such as optimizepress.com, that are affected, that the media will never list. You’re going to need to use your LastPass security scanner to find these. (See below.)
5) Regardless of how much I’d like to let you off the hook on paying attention to this this week – you must follow what is going on and you must update sites once they patch their security certificate.
6) Be wary of mandatory password reset emails that contain links as hackers are now sending out fake ones. If you get one, go type the URL in the address bar manually to avoid giving your credentials to bad guys.
7) If you use an SSL certificate on your website (for https) be sure to contact your hosting company for further information about your site.
8) If a website does not patch, it will continue to be attacked until all of it’s user data and passwords are known. This may include your data. So keep an eye on who has NOT patched in addition to who has.
9) This does NOT mean that your passwords have already been compromised – but it does mean that it is quite possible. And it’s more likely the more sites you used the same password on if you were lazy and did not use a unique password per site. (Use LastPass to make secure passwords easier.)
10) This does not install anything on your computer. It’s not a keylogger. It does not steal data from your computer. It does not steal data from any site other than the vulnerable one.
What about credit card data from digital and online purchases?
While Fox News was slightly wrong in that this is not a virus… it are absolutely correct about the fact that credit card data and more was compromised.
Three ways to know which https sites are updated and which ones are still vulnerable.
1) Mashable has a good list of the major social media sites and notes about their safety status. Click here.
2) LastPass has an amazing security tool (read more) that will scan your saved passwords for affected sites. You will find ones not listed other places. For example, here’s the ones that are coming up for me. If you don’t already use LastPass, you really should.
The LastPass Security Check can be run from the LastPass Icon menu. Click the LastPass icon in the browser toolbar, click the Tools menu, and select the Security Check. (See the Mashable article for the “updated = unknown” social sites.)
3) Check the website at a heartbleed vulnerability scanner such as this website: http://filippo.io/Heartbleed/ (If you find this scanner useful, be sure to donate to the project!)
This kinda stuff can be scary, stressy and downright annoying! Whether you have technical questions or just want to blow off some steam, come join the discussion here.
Keeping You Safe,
~ Kim ~
Simple Tech Tips For Marketing
PS: Please avoid rushing off to change “all” of your passwords. You do need to rush to change passwords but only the passwords of sites that have updated. Please do NOT change passwords on sites that remain vulnerable.