Is the Heartbleed bug causing some online heartache for you? Do you even know what Heartbleed is?
Unless you’re a dyed-in-the-wool techie, it’s understandable if you don’t completely understand what’s going on with the Internet’s latest security scare. Here, we explain what Heartbleed is, what damage it can cause and what you can do about it.
What is Heartbleed?
Heartbleed bug exploits a flaw in the Secure Sockets Layer (SSL) of popular open-source software called OpenSSL. SSL (also known as HTTPS) is the standard security technology that establishes an encrypted connection between a user’s web browser and the server where a website is hosted. “Encryption is essential to Internet security,” the Better Business Bureau says.
What types of data are vulnerable to Heartbleed?
Usernames, passwords, email messages, credit card numbers, Social Security numbers and other sensitive information.
Alexander Miller, lead technician at tech support company OMG Tech Help, said: “It is important to understand that Heartbleed should be viewed as an unlocked door, rather than a prowler trying to break into your house and steal something. It allows hackers to gain access to information that is assumed to be secured.”
What should you do if you find out your computer is infected by Heartbleed?
Stop what you’re doing on your computer and contact a specialist in removing computer viruses, Miller said. Unless you’re very tech-savvy, it’s best not to try to deal with Heartbleed on your own.
When was Heartbleed discovered?
In early April.
How long has Heartbleed been around?
It went undetected for about two years.
How bad is the Heartbleed bug?
According to IT company Defense.net, it “may be one of the most catastrophic bugs in secure computing history.”
How did the Heartbleed bug happen?
In 2012, a feature called Heartbeat was added to software, primarily to address slow Internet connections. “Heartbeat allowed connections to be held open, even during idle time,” according to the University of Texas at Dallas. “A flaw in the implementation allowed confidential information to be passed through the connection, hence the name Heartbleed.”
How many websites have been affected by Heartbleed?
About two-thirds of all websites are powered by servers that are susceptible to the Heartbleed bug, including Google and Facebook. Some estimates put the number of affected sites at 500,000. Also vulnerable to the bug are devices like smartphones, office phones, security cameras (VPNs) and videoconference systems.
What are website operators doing to tackle Heartbleed?
Websites affected by Heartbleed are installing “patches” for their security connections. In many cases, website operators are notifying users by email whether Heartbleed has been an issue.
To find out whether a major website has installed a Heartbleed patch, check out this article from CNET.
How do you know whether a website you’re visiting is safe?
You can use online tools like the Heartbleed checker from McAfee or the Heartbleed checker from LastPass to verify the safety of any website that you visit regularly. If no red flags come up, then you can securely log on to that site. Many experts recommend that you change your username and password once you’ve signed in.
How do you know whether your small husiness’ website has been affected?
“Most small businesses are using a third-party website host. Contact your provider and determine if your site was impacted, and if they have applied the necessary patches,” said technology consultant Ed Hill, a professor in the College of Engineering & Information Sciences at DeVry University.
You can turn to a tool like this one from Italian cybersecurity expert Filippo Valsorda to find out quickly whether your website is affected. If Heartbleed has hit your site, you should contact your IT department or your IT consultant for guidance.
Should you check with your software providers about how they’re reacting to Heartbleed?
It’s probably a good idea to do so if the software involves the exchange of data, such as products offered by “cloud” companies like Dropbox and Salesforce.com, according to Jeff Cherrington, vice president of product management and marketing at Prime Factors, which develops data security software.
Do you need to change all of our online passwords?
To be on the safe side, some experts suggest creating new passwords for all of our online accounts. Other experts, however, say that might be going too far. Whatever the case, don’t change a password for a site until you’re sure it’s been protected against Heartbleed.
“It might be attractive to try to cherry-pick only those online services that are showing up in the media as impacted, but taking the broad sweep is a better approach,” Cherrington said.
How should you go about changing your online passwords?
Even if Heartbleed weren’t an issue, you still should protect your data by setting up strong passwords. Here are six password tips:
- Use passwords that include upper-case letters, lower-case letters, numbers, and punctuation or characters.
- Do not use dictionary words in your passwords.
- Use a tool like www.random.org/passwords to randomly generate a password.
- Do not use the same password for different sites.
- Think in terms of a “passphrase” rather than a password, said Merrill Warkentin, professor of information systems at Mississippi State University. For instance, “I started to work in 2008” could become “Is2wi2008.”
- If you must write down your passwords, keep them in a secure location. “Don’t write it on a sticky note by your [computer] monitor,” Warkentin said.
What’s next for Heartbleed?
Just because websites are installing patches to guard against Heartbleed doesn’t mean that the bug is disappearing.
“Heartbleed is only in its infancy,” said Tommy Montgomery, principal consultant and security expert at IT consulting firm SWC Technology Partners.
“In the coming weeks and months, there is no doubt that attackers will continue to find creative ways to exploit vulnerable systems that are left unpatched,” Montgomery said. “Unpatched systems run the risk of leaking usernames, passwords, encryption keys, credit card data, health care data and much more sensitive information.”
Sources: Better Business Bureau, CNET, Defense.net, DeVry University, LastPass, LogmeOnce, McAfee, Mississippi State University, OMG Tech Help, Prime Factors, SAIFE, SWC Technology Partners, University of Texas at Dallas, Vestige