HeartBleed In a
Nutshell
The news about HeartBleed is all over the media. Advice is coming from many sources and
includes many different approaches to dealing with it, and the explanations
about what it is and how it affects you are confusing. This is my attempt to help make things as
clear as possible for end users; not system administrators who are busy fixing their servers..
What is it?
There is a bug in the computer code that we all rely upon to
provide secure, encrypted connections between our computing devices and various
websites so that the information we send and receive cannot be seen/read by
anyone else. This newly-discovered bug in that software makes it possible for
other people to “read” your usernames, passwords, credit card numbers, SSN’s,
and anything else you have typed in to a website that uses this encryption
code. This is a VERY serious problem.
What should I Do?
First, assume ALL websites you visit, or have visited in the
past 2 years have been affected by this bug.
The site owners may claim that they are not affected as of today, but they
may have been affected until recently.
If they were affected, and fixed it, then anything you entered in their
site for the past 2 years has been vulnerable to exposure.
Click on the little lock icon in your web
browser and examine the website certificate for the date it was issued.
·
Internet
Explorer:
o
Click the View
certificate link
o
Make note of the Valid
From date
·
Firefox:
o
Click the More
Information button
o
Click the View
Certificate button
o
Make note of the Issued
On date
· If the date issued is 4/7/2014 or later, then
the site was probably vulnerable, but they have most likely fixed
it. CHANGE YOUR PASSWORD for this
site, and MONITOR any credit cards, banking statements, etc. for unusual
activity.
· If the date issued is earlier than 4/7/2014, check to see if the site is
vulnerable (see below) before logging into it.
Check to see if a site is vulnerable:
· There are several sites that offer free checks to let you know if a site is vulnerable or not.
· Each of these sites allows you to enter the
website address and will report back whether they believe it is vulnerable or
not. Be advised that these sites are
pretty busy right now due to high traffic volumes.
· IF a site is found to be vulnerable, you have a couple of choices:
· IF a site is found to be vulnerable, you have a couple of choices:
o
Do not access the site until you can verify that
it has been fixed
o
Change your password for that site to something
OTHER than any password you use elsewhere.
NOTE: If you choose this option,
you will need to change this password AGAIN as soon as the site is no longer
vulnerable.
Bottom line:
·
Change your passwords and DO NOT use the same
password on every site. See my other post about Managing Passwords.
o
Use a (local; not cloud-based) password vault application to store all
your passwords and user IDs so you don’t have to memorize them all. KeePass is a good choice. There are many others as well. You just need to memorize one good, strong
password for the vault. Also, to make it easy to get at your passwords, you can place the password vault file in a file sync application such as Box, DropBox, SugarSync, etc., and then you can access your password file from all of your devices.
·
Make your email password(s) very strong, and DO
NOT use it/them anywhere else
o
Why?
Because many sites, like banks, will allow you to create a new password
if you forget yours by sending something to your email that you must follow up
on so they can “verify” you are the real person. If someone hacks your email, they can reset
all your financial site passwords pretty quick.
· Monitor your financial statements (bank
accounts, credit cards) for suspicious activity, and if you detact any, report it immediately.
No comments:
Post a Comment