By now you have heard about the internet security problem called the Heartbleed Bug, which was discovered the first week of April.
But in case you haven’t, or just want to know more about it, let me take you through the important points.
What is Heartbleed?
Heartbleed is not a virus or malware, but a programming bug discovered by a member of Google’s internal security team in conjunction with a security firm called Codenomicon.
The flaw was found in software called OpenSSL which is responsible for setting up the encryption of “secure web pages”.
You’ll recall that whenever you go shopping online, or are on a web page where you are to enter private information, you need to make sure you are on a secure page. You can always tell this by looking for “HTTPS://” at the front of the page address instead of just “HTTP://” (notice there is no “S“).
OpenSSL is what causes this page to be secure.
The Heartbleed bug allows the cyber-bad-guys to make requests and access your supposedly secure data.
So you can see the problem. Hackers could exploit what we think are safe and secure sites using HTTPS.
Not all secure sites use OpenSSL, but since over 60% of sites use SSL security, and of those, almost half use OpenSSL, many security experts are saying that Heartbleed is one of the biggest security threats we’ve ever seen on the Internet.
What Has Happened So Far?
As of now, no one has reported any major security breaches via Heartbleed. Since it seems to have been discovered by security experts before the cybercriminals got wind of it, many companies were able to fix the problem before they were attacked.
But the bad news is, it is possible that the bad-guys could have taken advantage of the bug, taken your private information, and then left no trace that they were there.
So there is the chance that bad things have already happened. But let’s hope not….
What Should You Do?
First of all, the main burden for fixing this problem lies with the secure sites themselves. Until a site fixes the problem (and yes, there is a patch for it), there’s nothing you can do.
However, once a site HAS fixed things, you’ll want to visit that site, log-in, and change your password.
(NOTE: it won’t do you any good to change your password until AFTER they have fixed the problem).
Here are links to pages that list the sites who’ve been affected by Heartbleed:
- Mashable – Heartbleed Hit List – Although it doesn’t have every site listed, Mashable has key information about the most important sites that might affect you. And so far, they have been keeping it up-to-date.
- LastPass Heartbleed Checker – From the makers of the LastPass Password Manager, a page where you can enter the address of a site to see if it is affected by the bug and whether it has been fixed.
- GitHub Heartbleed Test – Another site where you can enter the address of a page to see if it’s affected.
Here is a quick snapshot of some popular sites you might use, and their Heartbleed status (as of April 11, 2014):
- Facebook – was patched, you need to change your password.
- LinkedIn – was not affected.
- Google – was patched, you need to change your password.
- Gmail – was patched, you need to change your password.
- Yahoo – was patched, you need to change your password.
- YahooMail – was patched, you need to change your password.
- Hotmail/Outlook – was not affected.
- Instagram – was patched, you need to change your password.
- Pinterest – was patched, you need to change your password.
- Amazon – was not affected.
- PayPal – was not affected.
- eBay – was not affected.
- Etsy – was patched, you need to change your password.
- Target – was not affected.
- Groupon – was not affected.
- WalMart – was not affected.
- DropBox – was patched, you need to change your password.
To Summarize…
Heartbleed seems to be a perfect example of what you should always know about the Internet… that there is no such thing as 100% security or safety.
That being said, I think the good news about all this hoopla is that it raises our sense of awareness about Internet security, but also shows that behind the scenes, there are companies who are watching out for these kinds of bugs in hopes of keeping the bad-guys at bay.
So again, here is what you should do about Heartbleed:
- Visit one of the pages I listed above to see if a site you use has been affected.
- See if the site has fixed / patched the problem.
- If it has, login to that site and change your password.
By the way, CLICK HERE to read an article I wrote about creating the best passwords. This might be a good time to setup a new, GOOD one!
For more information, the company that helped discovered the flaw, Codenomicon, has setup an information page you can CLICK HERE to see. Some of the information is a bit geeky, but it’s very complete.
As always, I would love to hear your comments about the subject. You can leave them below!!!
Hi John,
It is so great you take the time to help us understand the current status of online security. I have already read about HeartBleed but you give us an understandable description and format to follow to stay ahead of problems. Even though I haven’t been able to fit any classes into my schedule recently I always ready your informative emails. Thank you so very much.
Hi Peg…
Thanks so much for the kind comments. Glad that you found the article helpful!
Take care!
John Lortz