Heartbleed: DON’T PANIC
If you’ve read newspaper, been on Twitter or simply visited the internet in the last few days, you will have heard about Heartbleed. It is arguably one of the most serious internet security stories in the history of the internet, but some simple steps should be enough to keep you out of danger.
What is Heartbleed?
Heartbleed is a serious security bug within the OpenSSL protocol. OpenSSL is common system for encrypting information exchanged between you and web servers. It’s mostly used on ‘sensitive’ websites, such as email providers and online retailers. The page you’re viewing now is not encrypted using Open SSL because it contains no sensitive information to protect.
How does this affect me?
The Heartbleed bug mainly affects web servers, rather than your personal PC, but anyone who uses encrypted websites is at risk. The exploit means a hacker can obtain information from the system memory of an unpatched web server, which if repeated often enough could allow them to obtain private encryption keys, credit card information – pretty much any sensitive information stored on that server.
Not all secure websites use OpenSSL, but a large proportion (approx. 66 per cent) do use it, which is why it’s considered such a huge issue. Respected security expert Bruce Schneier is on record as saying the flaw is “catastrophic”. The issue is not just how sensitive the information that can be accessed is, but also because it’s almost impossible to detect. While most providers can say they have no evidence of a breach, there’s no real way for them to verify this as fact.
What can I do about it?
So, it’s time to pull up the drawbridge and enter lockdown, right? Well, you could, but it wouldn’t help. But there are a few things you can:
Check the ‘safety’ of encrypted websites you use
Examples of encrypted websites are banks, credit card providers, online retailers and email providers. Most of the big ones have patched the problem already, or may even not be affected if they use proprietry encryption or simply use a version of OpenSSL that isn’t affected. To do this, go to http://filippo.io/Heartbleed/ and enter the address of the website you’re planning to use. Use the ‘https://’ version of the site, not its public homepage. For example, you should test the log-in page of your online banking, not the front page. If it’s safe, proceed. Mashable also has an excellent guide to the largest services and their response. The Heartbleed Wikipedia page also has updates from leading providers.
Ensure you’re using secure and varied passwords
An oldie but a goodie is to refresh your passwords. Make sure you’re not using the same, basic password for all your online services. A simple answer to this problem would be to start using a password manager, such as Last Pass or 1Password. These generate secure passwords for you. This is particularly important for any website you use that holds payment information.
Follow the advise of your providers
Unless you’re using cowboyemail.com (is that a thing?), the chances are the services you’re using are already well aware of the problems and have either fixed them or are in the process of doing so. Keep an eye out for emails from them with instructions on what to do and follow their advise.
NOTE OF CAUTION: But before you do click on any Heartbleed-related emails, make sure they are genuine and not an impersonation (aka phishing) email. Look for tell-tale signs, dodgy sounding email addresses, ambiguous links etc. If you’re unsure, call your provider or check the email against one you know to be genuine.
Should I change all my passwords?
There is a great deal of conflicting advice around this issue. Some have recommended changing all passwords now, leading to some very alarmist newspaper headlines, while others recommend caution.
It’s certainly a good idea to change passwords, particularly if you use the same password elsewhere, but it’s best to wait until after your provider or service has confirmed it has patched the problem. This way you can be sure that your new password is as secure as you think.
Next, read our look at what is new in Windows 8.1 Update 1