WHAT IS HEARTBLEED?
Last week a nasty bug was discovered called “heartbleed.” All though many news outlets were calling it a virus, it was actually a software defect in widely used security software. According to Netcraft, an Internet research firm, over 500,000 Web sites could be affected due to this encryption flaw.
“The bug, dubbed ‘heartbleed’ is based on a fault in functionality in the widely used OpenSSL library. It was originally discovered by Neel Mehta of Google Security. This library is extremely widely used from security vendors products to secure web browsing (when you log in to a site and see https://) and even mobile banking applications. The Apache web server which powers a substantial part of the Internet tends towards using OpenSSL.”- Forbes
When the bug is exploited an attacker can retrieve up to 64KB of memory. This memory may contain usernames, passwords, credit card information, keys or other sensitive information that could lead to attacks on a larger scale.
WHAT SITES WERE AFFECTED?
Only sites that were using OpenSSL were affected. Thankfully most sensitive sites those belonging to banks and governments were not vulnerable in the first place. Here is a list of some of the most popular websites that were found to be vulnerable:
WHAT CAN YOU DO TO PROTECT YOURSELF?
If you use any of the sites listed above it is recommended that you change your password, if you haven’t already.
When making updates choose a new secure password to help ensure you’re protecting yourself from future vulnerabilities.
Don’t choose something simple such as 123456, or “Password”.
A secure password contains both uppercase and lower case letters, a number and a symbol and is at least 8 characters long. It is also recommended that you regularly change your passwords to add an extra layer of protection.
If you have a hard time remembering your passwords try a password management tool such as LastPass. Password Managers help you generate random passwords for each account. You then control everything through one strong master password. Having all of your accounts under one manager may be too close for comfort for some users, but LastPass insists it’s secure, and that users don’t have to change their master passwords due to Heartbleed. It’s even added a feature that automatically checks your saved sites for Heartbleed vulnerabilities. Other password manager options are RoboForm, Dashlane, and 1Password.
Many vendors are working overtime trying to quickly patch the issues. The question in the aftermath of something like this is whether online security practices need to be reformed. Secure online communication will likely be a worldwide discussion topic in the weeks to come.