Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week. The damage caused by the “Heartbleed” bug (note this is not a virus and normal security software will not catch it) is currently unknown. There isn’t much that people can do to protect themselves until the affected websites implement a fix.
What is the Heartbleed bug?
Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by the majority of websites that need to transmit the data that users want to keep secure. It basically gives you a secure line when you're sending an email or chatting on IM.
Encryption works by making it so that data being sent looks like nonsense to anyone but the intended recipient. Occasionally, one computer might want to check that there's still a computer at the end of its secure connection, and it will send out what's known as a heartbeat, a small packet of data that asks for a response.
Because of a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end into sending data stored in its memory.
According to the researchers who discovered the flaw, the security hole exists on a vast number of the Internet’s Web servers and went undetected for more than two years. While it’s conceivable that the flaw was never discovered by hackers, it’s nearly impossible to tell.
Q: Am I safe now that it's been identified?
A: It depends on the website. A fixed version of OpenSSL has been released, but it’s up to the individual website administrators to put it into place. Yahoo Inc., which has more than 800 million users around the world, said Tuesday that most of its popular services — including sports, finance and Tumblr — had been fixed, but work was still being done on other products that it didn’t identify.
Q: So what can I do to protect myself?
A: Ultimately, you’ll need to change your passwords, but that won’t do any good until the sites you use adopt the fix. It’s also up to the Internet services affected by the bug to let users know of the potential risks and encourage them to change their passwords. Mashable has list some of the most popular websites and tells if they were affected and if they have patched their site yet.
Now you are able to check to see if the websites that you use that have been patched. You can go to https://lastpass.com/heartbleed/ and paste in the link for the website you want to test. I wouldn't test the homepage of the site, but rather the login in page.
Tips for changing passwords
(from ConnectSafely.org)
Don’t fall for “phishing” attacks: Be very careful before clicking on a link (even if it appears to be from a legitimate site) asking you to log in, change your password or provide any other personal information. It might be legit or it might be a “phishing” scam where the information you enter goes to a hacker. When in doubt, log on manually by typing what you know to be the site’s URL into your browser window.
Never give out your password to anyone (except your parents). Never give it to friends, even if they’re really good friends. A friend can – accidentally, we hope – pass your password along to others or even become an ex-friend and abuse it.
Don’t just use one password. It’s possible that someone working at a site where you use that password could pass it on or use it to break into your accounts at other sites.
Create passwords that are easy to remember but hard for others to guess. When possible, use a phrase such as “I started 7th grade at Lincoln Middle School in 2004” and use the initial of each word like this: “Is7gaLMSi2004.”
Make the password at least 8 characters long. The longer the better. Longer passwords are harder for thieves to crack.
Include numbers, capital letters and symbols. Consider using a $ instead of an S or a 1 instead of an L, or including an & or % – but note that $1ngle is NOT a good password. Password thieves are onto this. But Mf$1avng (short for “My friend Sam is a very nice guy) is an excellent password.
Don’t use dictionary words: If it’s in the dictionary, there is a chance someone will guess it. There’s even software that criminals use that can guess words used in dictionaries.
Don’t post it in plain sight: This might seem obvious but studies have found that a lot of people post their password on their monitor with a sticky note. Bad idea. If you must write it down, hide the note somewhere where no one can find it.
Consider using a password manager: Programs or Web services like RoboForm (Windows only) or Lastpass (Windows and Mac) let you create a different very strong password for each of your sites. But you only have to remember the one password to access the program or secure site that stores your passwords for you.
Make sure your computer is secure: The best password in the world might not do you any good if someone is looking over your shoulder while you type or if you forget to log out on a cybercafe computer. Malicious software, including “keyboard loggers” that record all of your keystrokes, has been used to steal passwords and other information. To increase security, make sure you’re using up-to-date anti-malware software and that your operating system is up-to-date.
So what do the Tech Ninja's recommend?
- First follow the Tech Ninja Blog
- Make a list of the websites that you use that use a password (and group them together if you use the same password)
- Do a Google search to see if the websites have been patched from Heart Bleed
- Check https://lastpass.com/heartbleed/ and see if any websites were you store personal or financial information is safe.
- Change your passwords to a secure, unique password. Check out our post on Last Pass to see why this would be such a great resource to use. LastPass will not only alert you to which sites are vulnerable, but also tell you the last time you updated your password for the site, when that site last updated their certificates and what action we recommend taking at this time.
No comments:
Post a Comment