Saturday, April 12, 2014

Heartbleed - Internet Wide Risk

You may already have heard about the Heartbleed bug. This article is meant to be a simple rundown:

Web sites encrypt (or should encrypt) important traffic over the Internet such as usernames and passwords for example.

All web sites use some sort of special encryption software for this. Many web sites use a freely available (free as in no money) encryption software named OpenSSL.

Many OpenSSL versions are perfectly safe, only a few versions are affected, that is they contain a bug that allows encrypted information to be decrypted, that is finally to be read in clear text.

There is little we can do on our computers to avoid Heartbleed except avoiding affected web sites. Here are two places where you can check web site addresses for this bug. A web site address is the URL, what you type in the address bar of your web browser.
  1. Heartbleed Test by seems to be privately run; just type over the example "Facebook" entry in the form. This site has lots and lots of detailed information about Heartbleed  and a lengthy Q&A page.
  2. Heartbleed Test by is professionally run by, a password management service.
    For full disclosure: I use Lastpass, I am one of their customers.
And last but not least here is a list of affected web sites. A warning: This link leads to a forum entry with lots of subsequent discussions that you can safely ignore.

What to do if you use an affected web site?

Assuming that you have done above checking and you have in the past used an affected web site there is only one thing we can do:
Do not log into accounts from afflicted sites until you're sure the company has patched the problem. If the company hasn't been forthcoming -- confirming a fix or keeping you up to date with progress -- reach out to its customer service teams for information, said John Miller, security research manager for TrustWave, a security and compliance firm.
PLEASE give that website or company feedback; tell them that you will shun them if they don't fix their servers soon. If we don't speak up we give them the liberty to stay lazy and to ignore our concerns about this.

Don't be shy about reaching out to small businesses that have your data. Make sure their web site is secure. While high-profile companies like Yahoo and Google certainly know about the problem, a small businesses might not be aware of it, said TrustWave's Miller. Be proactive about the safety of your information.

Keep a close eye on financial statements for the next few days. If attackers can access stored credit card information it can't hurt to be on the lookout for unfamiliar charges on your bank statements.

Once you have gotten confirmation that the web site is fixed change passwords of sensitive accounts like banks and email immediately.

What to do if you have used the same password on more than one web site? Immediately stop this dangerous practice.

On important web sites, where money is involved for example, establish unique passwords for every such web site. And as usual, write the passwords down where you can find the note when you need it - you will need the note, believe me.

And last but not least at all: Your sleek Android smartphone could be affected as well! You find more about that here.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.

No comments: