What To Do About The Heartbleed Bug
Most recently the technology sector was shaken by the discovery of the Heartbleed Bug, a serious vulnerability for Internet security. This affects nearly everyone that has some sort of online account, and understanding the issue is important, as is utilizing a smart approach to protect yourself.
The Heartbleed Bug is a weakness in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, which serve to provide secure Internet transactions between web browsers and web servers. Almost anytime you provide login information for a website, that website’s server is using SSL/TLS encryption to provide communication security and privacy for your login information. Many websites utilize the OpenSSL cryptographic software library and herein lies the security hole.
When a web browser and a web server are passing data back and forth, they “check” to see if the other computer is still available by sending a small packet of data, or a “heartbeat”, which is then confirmed by the other machine. The Heartbleed Bug allows hackers to send a false packet of data which fools the other machine into sending data stored in memory, which could provide the hackers with access to quite a bit of sensitive login information.
Another point of concern is that the flaw, though just discovered, has been active for at least two years and is undetectable by current standards. If you read any news on the Internet, I’m sure you’ve seen a lot of articles about this and the need to go change your passwords, but WAIT!
If you go and change your password and that website server hasn’t updated their OpenSSL software library, that change is all for naught: the flaw is still in place. You’ll need to verify that the web server is running the “safe” OpenSSL version before you change your password.
There exist a few places that will allow you to check a website for this vulnerability, and I recommend you go start checking the websites you use.
https://filippo.io/Heartbleed/
https://www.ssllabs.com/ssltest/
https://heartbleed.criticalwatch.com/
https://lastpass.com/heartbleed/
The last site I mentioned is something the folks at LastPass were nice enough to let people use. Anyone that uses their free password management service has access to a few other tools that allow you to check for ALL your passwords that you store with them. Their scanner also works a little differently and checks for other past vulnerabilities and steps to take to ensure your privacy. I’m a wholehearted supporter of LastPass and strongly suggest you give their free service a try.
It should be noted that the Heartbleed Bug could very well continue to affect our Internet as we know it, with the vulnerable OpenSSL software library baked into a variety of Internet hardware and third-party security products, like Virtual Private Network (VPN) tools and commercial firewall products. For businesses that maintain their own servers with VPN networks in place, you’ll need to check with your IT people to make sure you’re going to be safe.
Don’t delay and start checking the security of the websites you use immediately. If that website hasn’t patched their OpenSSL, then wait to change your password until they do.
