The Heartbleed Bug… heard about this one yet?
The latest problem recently discovered is called the Heartbleed Bug. Where do they get these names anyway?
So, not to bore you with the technical details, just know that this is a HUGE (potential) problem. Basically, any site that uses OpenSSL likely has this bug. In layman’s terms… you know when you go to a website and there is this little padlock that appears next to the website address… like when you login to your bank or webmail? Yeah, like Gmail or Yahoo Mail. Well, most of those protected, secure sites are… well… not secure.
This security bug allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
What You Should Do
1. Identify those sites that you use that may be “secure” sites and go to those sites, or call the companies, and inquire about whether they are affected by this. If they are, find out when it will be fixed on their end and asked to be notified when its fixed… or ways to followup on the progress. Most likely, these sites and companies will be contacting you by email in the very near future.
2. Use this tool to test their server by entering in their web address. Be aware that just because they pass this test does not mean they were not vulnerable. They could have repaired the problem since its discovery… before you ran this test. http://filippo.io/Heartbleed/
3. Change your passwords to these sites AFTER you are confident they have fixed the problem. Changing your passwords before the fix is in place will likely cause your new password to be stolen as well.
WARNING
The chances are very high that there will be scammers coming out of the woodwork to take advantage of this. Here are some DO NOTs to follow:
DO NOT click on any links in any email guiding you to reset your password. Instead, go directly to the site and change your password as you would normally do.
DO NOT take any phone calls from anyone claiming to be the Feds or Microsoft or Facebook wanting to get personal information from you.
DO NOT use the same password on more than one site. Make every password unique (more on this in a minute).
DO NOT assume anything online is inherently safe. The Internet is a wonderful and dangerous place… treat it as such.
Other Considerations
1. Use a GOOD password manager. Everyone complains about passwords these days. They have too many… too complicated… can’t remember… blah blah blah. Do yourself a favor and use a good, secure password manager. I personally use and recommend LastPass (https://lastpass.com/). The free version will work for most users. However, if you want even more security and smartphone functionality (which I like), then a premium subscription is needed. For $12 a year, a premium subscription is hardly a strain on the wallet.
2. Never use the same password twice. Using LastPass makes this easy. First, since LastPass stores all your sites, usernames and passwords its not a big deal to use passwords that you can’t remember. I have probably a hundred different passwords and know almost none of them… thats what I pay LastPass to do. LastPass will also generate a password for you so you don’t have to figure out what to use.
3. Always use strong passwords. I recommend using passwords of at least 12 characters in length… especially for sensitive sites like banking and sites you put credit card or personal information into. You need to have at least one of the following: Capital letter, number and special character. With LastPass you can enter these parameters and it will generate a secure password for you to use… simple.
4. Change passwords on a regular basis. If you’re a business you should be changing passwords at least every 90 days. For individuals, pick a day each year… or twice a year to go through and change your passwords (at least you super important ones). For example, change your passwords when the time changes twice a year or every year on your birthday or groundhog day… I mean… what else are you doing on groundhog day?
If you can think of other recommendations, leave a comment below or go over to our Facebook page and let us know what you would recommend.