If you’ve been paying attention to tech news this week you’ve probably heard about Heartbleed, the security flaw that has widespread implications across the Internet. Chances are if you’re on the Internet you’ve been on a website that has been affected by Heartbleed.
You need to know what Heartbleed is and what you should do to protect yourself.
What Is Heartbleed?
Heartbleed is a security flaw that allows hackers to infiltrate websites to get information from those sites. The flaw is in software that was designed to make certain websites secure, but the Heartbleed bug allows hackers to access information from within websites.
This vulnerability means that information you may have entered into an affected website, such as user names, passwords, emails, and credit card numbers, could have been exposed to hackers. The Heartbleed flaw existed for over two years before it was recently discovered.
The Wall Street Journal is reporting that the Heartbleed bug has also been found in routers and other networking equipment. See, Heartbleed Bug Found in Cisco Routers, Juniper Gear.
Security expert Bruce Schneier explains the gravity of the situation in his Heartbleed blog post: “‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
Why Is Heartbleed So Important?
Heartbleed affects websites that were supposed to be safe, those with SSL security certificates. Browsing the Web, you can see which sites have SSL security certificates when your see https:// instead of http:// before the URL (the URL is the web address of a site, such as wonderoftech.com). HTTPS was designed to show the safety of a website so that those surfing the Internet would be able to identify websites that were secure.
Because of Heartbleed, HTTPS no longer gives reliable assurance of the safety of a website.
See, How to Shop Online With Added Security for more information about HTTPS websites.
Note that there have been no reports of any data being stolen using the flaw but that doesn’t mean that no information was taken. Think of Heartbleed as if you installed a heavy-duty padlock on the front door of your home then arrived home from a trip and discovered that your back door was unlocked. The difference with Heartbleed is that you can’t check your stuff to see whether anything is missing.
Which Sites Are Affected?
The list of websites vulnerable to Heartbleed is long and includes major sites such as Google, Yahoo, Facebook, Instagram, Pinterest, Tumblr and many more. An estimated 2/3 of websites have been affected. According to InfoWorld, “Canada’s online tax filing services had to be shut down completely in the wake of Heartbleed, leaving filers out in the cold right before their tax deadlines.”
How can you tell if a website is vulnerable to Heartbleed? You can check to see if a website has been affected at http://filippo.io/Heartbleed/.
Which Sites Are Not Affected
The good news is that not all websites were affected by Heartbleed. According to Mashable, unaffected sites include amazon.com, Target, Microsoft, AOL, PayPal, Wells Fargo, Walmart, Nordstrom, Bank of America, Chase, Capital One and others.
See, The Wall Street Journal, U.S. Regulators Tell Banks to Plug ‘HeartBleed’ Security Hole
What to Do to Protect Yourself
Check to see if affected websites where you have accounts have been patched. Once they have been, be sure to change your password. Keep an eye on your credit card and bank statements for any unusual activity.
If you use LastPass password protection service, check out their Heartbleed blog post to find out how LastPass can help you monitor your online accounts. If you weren’t using LastPass already, signing up now won’t help you monitor your accounts for Heartbleed vulnerabilities.
What Not to Do
→ Don’t change your password on an affected site until you know the issue has been fixed. If you change your password before the bug has been patched you will be vulnerable to your new password being stolen just as easily as your old password could have been.
Mashable has a list of the major websites that have been affected and shows which of them have fixed the problem: The Heartbleed Hit List: The Passwords You Need to Change Right Now.
→ Don’t click on a link in an email to change your password. Hackers will exploit Heartbleed to send out spam emails phishing for your user names and passwords. If you get an email suggesting that you change your password, go to the website directly by typing the URL into the address bar of your browser.
You can find out more information from heartbleed.com
Had you heard the news about Heartbleed? What steps have you taken to protect yourself? Does this make you less confident about using the Internet? Share your thoughts in the Comments section below!