Heartbleed Bug: Your Cheat Sheet to Staying Clean
Earlier this week, a security flaw was discovered in OpenSSL, a widely used encryption software that is supposed to protect communication security and privacy over the Internet. The security vulnerability – dubbed the “Heartbleed Bug” — could expose users’ private data, including email content, user names, and passwords.
According to the official Heartbleed Bug website that was established by security testing firm Codenomicon to provide information on the security vulnerability, “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Naturally, this serious vulnerability has alarmed individuals and companies alike that are worried about compromising users’ private information. Unfortunately, as noted on the Heartbleed Bug website, the security vulnerability will not be patched until “Operating system vendors and distribution, appliance vendors, [and] independent software vendors” have adopted the fix and notified their users. However, there are several proactive steps that users can take to protect their data in the meantime.
1. Identify and Avoid Websites That Have Been Affected
According to Codenomicon’s Heartbleed website, the security vulnerability affects over 66 percent of the Internet. This makes it quite likely that the websites you use have been directly affected by this security flaw. On the other hand, there are some major Web service providers that were not affected, because they don’t use the type of encryption exploited by the Heartbleed Bug. For example, Apple (NASDAQ:AAPL) recently told Re/code that “iOS and OS X never incorporated the vulnerable software and key Web-based services were not affected.”
Some security researchers have established sites where you can check to see if a website you use has been affected, such as this one made by Filippo Valsorda and this one made by LastPass Password Manager. Google (NASDAQ:GOOG) also offers a “Chromebleed” extension for its Chrome browser that will warn you if the website you are visiting has been affected by Heartbleed. You can also contact websites directly in order to find out if they have been affected. Avoid logging into accounts at affected websites until the company that manages the website has issued a patch to fix the vulnerability.
2. Change Your Passwords
Although your first instinct may be to change all of your passwords, this may be an exercise in futility until the service provider or website manager fixes the security flaw. Without a security fix, your new password will be just as vulnerable to being stolen as your old password. However, once an affected website has issued a patch, you should immediately change your password.
3. Monitor Your Bank and Credit Card Activity
Even if your sensitive financial data has been compromised, you can minimize the damage by keeping a close watch on your bank account and credit card statements. Immediately report any unusual charges to your financial institution.
4. Stay Off the Internet?
As noted by security researchers at the Tor Project, the scope and seriousness of the Heartbleed security vulnerability might make it worthwhile for some users to stay off the Internet completely until more security fixes are in place. “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle,” advised the security researchers.
More From Wall St. Cheat Sheet:
- Heartbleed Bug Breaks Net Security Firms’ Hearts
- Google Releases More Details on Secret Project Ara
- Here’s How Google’s Gmail iOS App Change Affects Apple Users’ Privacy
Follow Nathanael on Twitter (@ArnoldEtan_WSCS)