If you haven’t been stranded on a deserted island this past week, then you have surely heard of the Heartbleed bug. Even if you have seen the news, you may still be wondering what this bug really is and how it might affect you. In case it helps, here is my perspective.
What is this Heartbleed bug?
The Heartbleed bug is a pretty serious vulnerability inside OpenSSL, an open-source library of SSL and TLS protocols. OpenSSL 1.0.2-beta, as well as all the versions between 1.0.1 through 1.0.1f, had a memory handling bug in the TLS Heartbeat Extension. Using this vulnerability, attackers can access sensitive data including, but not limited to, your usernames, passwords, even credit card information. OpenSSL is most frequently used in Unix-like operating systems (UNIX, Linux, Mac OS X, VMware, etc.) There are however, versions of OpenSSL available for non-Unix-like systems, such as Microsoft. OpenSSL is extremely common and used in many servers around the world. Here are just a few websites that use OpenSSL (Perhaps you have heard of them):
My IT Department Patched Our Servers, so I am Safe Right?
No, while your servers may no longer be vulnerable, it doesn’t mean that all the websites you visit daily are patched and safe for use. However, there are quite a few tools on the Internet that allow you to check if a website is vulnerable. Here are a few that we have used here at Segue:
Ok, so what do you do now? No, you don’t have to stop using the internet completely; it’s just a good idea to change your passwords in case your info has been compromised. I would recommend that you change your passwords now, and again in a few weeks just in case you changed your passwords prior to a website patching its servers and your newly changed credentials become compromised. Don’t forget, we should be changing our passwords on a regular basis anyway.
To ensure you meet a good standard of security, all of your passwords should include:
- A mix of uppercase and lowercase letters
- numerals such as 1, 2, 3;
- special characters such as $, ?, &; and
- alt characters such as µ, £, Æ.
A big password tip that most people DON’T follow, is to use a different password for EVERY website you login to. This way if your credentials are compromised, they can’t be used against you all over the internet.
I know what you are thinking; you can’t even remember your own birthday, so how are you going to remember all these passwords? I am in the same boat. I currently have 462 personal login credentials around the Internet. There is no possible way to use proper password policies, and remember that many passwords without some help. Unlike how we used to keep our passwords, on a sticky note under our keyboard (come on, you know you used to do that) there are some great applications that can assist you in your password management. The one I use is LastPass, however I know there are some other great ones as well: 1password, Dashlane, KeePass, Roboform, and I’m sure there are more out there! Do yourself a favor and try one out!
For more information on the Heartbleed bug, please check out Heartbleed Bug: Increasing Awareness of Information System Security by Mark Shapiro.