News about the awfully-named Heartbleed Bug is all over the place. Over the past two days I received some great questions from friends and clients…only a few of which I could answer. Not only is this security flaw really bad (it is) it’s also hard to explain—even if you fully understand it—which I don’t. Problem is, I’m not convinced anyone else does either, except those who discovered the problem and anyone who exploited it. What is known for sure is the potential damage is really scary to contemplate.
Heartbleed, which affects sites using OpenSSL, is used—at least partially—on most webservers. It is probable that some (if not most) sites you access were at risk – including private networks such as VPNs. The really disturbing part is that this flaw has been in existence for about two years before it was detected. As it leaves no forensic trail, no one has any idea if what, who or how data (any and all kinds of data) were compromised. I haven’t even seen any reporting that confirms that the flaw was actually exploited by anyone (besides intelligence agencies). So, it’s a guessing game all around.
Here’s a few things you can do:
1. Change your passwords! Note that some websites you may use may not have been fixed yet (yes, really) – to start, focus on the critical ones:
- Banking
- Domain registry (GoDaddy, etc – these are the keys to your kingdom online!)
- Social media
- Website logins/hosting providers
- Note taking & password managers (Evernote, OneNote, etc)
2. Watch your email for updates from services you use. These have been sparse… and oddly, I haven’t had any yet. This is either terrifying or reassuring, depending on your point of view.
3. Start using a password manager. I use LastPass. While LastPass does partially use OpenSSL, they fixed the problem quickly. However, LastPass users were never at risk anyway. Why? I will let them explain (emphasis mine):
“However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted – it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern.” View full article.
There may be other management that use similar methods – and there are a lot of excellent choices for password management… RoboForm, KeePass, 1Password… do your research, as password managers differ in approach.
Here’s a few great explainers & tools to check out:
- Heartbleed.com (An overview, published by the people that discovered the flaw, Codenomicon)
- The Heartbleed Bug, explained (Vox)
- Patching The Heartbleed OpenSSL Vulnerability (by Sucuri – kinda techy)
- How to explain the new data-leaking ‘Heartbleed bug’ to your mom (DailyDot)
- LastPass’ Site Checker Tool (for fun, check the “inspiration” list at the bottom!)
- LastPass and The Heartbleed Bug