A plague at the heart of the Internet. Anyone who ventures online should be aware of the risks posed by Heartbleed, the biggest threat to Internet security in at least a couple of years. All Internet users need to respond to its reality.
What is it? Heartbleed isn’t a virus, but a software bug – a distressing flaw in web encryption technology, specifically a defect in the widely used Open SSL cryptographic software library.
Heartbleed was recently detected by Google Security researcher Neel Mehta and researchers at Internet security firm Codenomicon. They determined that all versions of OpenSSL released between March 14, 2012 and April 7, 2014 contained the bug. This flaw in RAM is hugely problematic, as popular open-source Web servers like Apache and ngnix use OpenSSL to protect user security.
What kind of damage can it do? SSL is the software that gives you the secure connection (https://) on assorted websites. Potentially, the Heartbleed flaw in OpenSSL can let identity thieves snare enormous numbers of username/password combinations from such websites – without a trace.
What websites are still vulnerable? The list is changing (and fortunately, decreasing) daily. Head to the respected tech website Mashable.com for a frequently updated “Heartbleed Hit List” (Google “Heartbleed hit list” and you’ll get there in a click).
Some vulnerable websites have promptly patched the Heartbleed defect, and this means that you should be changing your password at those websites, which include Facebook, Pinterest, Google, Yahoo! and others. If you don’t, you are leaving yourself open to identity theft.
Fortunately, very few of the big banking and day trading websites use OpenSSL; none have reported security issues so far. LinkedIn, AOL, PayPal and eBay also report that they are unaffected. The IRS reports no problems with its website.
How can you protect yourself? Head to Mashable.com’s list to see where you must change your password. Change passwords at those websites, and don’t use the same new password for one site at another.
Some people like to use password managers such as Dashlane and LastPass – these are software programs that generate random, unique and very strong passwords for websites you visit, and which automatically enter them for you. You will actually never know these passwords; they will be hidden behind a single master password.
Italian cybersecurity specialist Filippo Valsorda has a tool (filippo.io/Heartbleed/) where you can test a website (specifically, its server) to see if it is suffering from Heartbleed. Type in the website address and hit “go”; if the website is “all good”, it has been patched for Heartbleed, but your password should still be changed anyway as a precaution; if the test finds it “vulnerable,” that means you should refrain from changing a password for the moment and wait for the site to be secured. If you change passwords prior to the site being secured, you may actually be putting yourself at greater risk than you previously were.
Be safe, stay alert. While the response to Heartbleed has been necessarily swift, it reminds us that we need to be vigilant and that online security can sometimes be overstated. So change those relevant passwords for sites that have been patched, if you haven’t done so already.