If you’ve been on the Internet at all this week, you know the big story is the “Heartbleed” bug. In a nutshell, this bug gives hackers a way past the security on roughly two thirds of the websites out there. Hackers can snag usernames, passwords, credit card information, encryption keys and other sensitive information they shouldn’t have. The worst part is that this bug existed for two years before any security company or researcher noticed.
It sounds bad, and it is bad. But it isn’t the end of the world, or even the Internet. Let’s take a look at what exactly is going on and how you can stay safe.
Before I can tell you how to stay safe, you need to know a bit about what this bug does and how it came about.
First Sun Consulting, LLC, is proud to provide one of our ‘FSC Career Blog’ article below. Over 300 current articles like these are on our website in our FSC Career Blog section with new management trends, employment updates along with career branding techniques . Also note, FSC Career Blog was voted the ‘most viewed’ on LinkedIn Career groups in 2013.
Simply connect @ http://www.linkedin.com/in/frankfsc , then click, ‘Add Frank Link’ to your Network.
As you may know if you’re a long-time reader, an important part of online security is encryption. This scrambles your connection with banking sites, social media sites and other sensitive sites. That way, hackers can’t intercept and read your important data.
If you’ve ever seen “https” in the address bar of your browser, that means encryption is turned on. You can learn more details about encryption in this tip.
One of the most popular encryption systems in use is OpenSSL. Back in late 2011 and early 2012, however, it got an add-on called the “heartbeat extension.” You don’t need the nitty-gritty details of what it does, but the bug we’re talking about was in this add-on; hence the nickname “Heartbleed.”
The result of the bug is that on sites using certain versions of OpenSSL, hackers can bypass any security and download random chunks of information. These chunks are incredibly small, but if hackers get enough of them, they can reconstruct a lot of data they shouldn’t have. They might even be able to snoop on your communication with the website in question.
Just to be clear: The Heartbleed problem is with the websites. This bug doesn’t mean hackers can pull information off your computer. It also doesn’t mean you should avoid encryption. Encryption is essential for online security.
The long-term fix is in the hands of the affected website owners.
First, they have to upgrade OpenSSL to the latest version that squashes the bug. Then they have to get new security certificates – again I won’t trouble you with the details. Once that’s done, many sites will ask users to change their passwords.
Fraud alert: If you receive an email from a website asking you to change your password, always open your browser and log in to your account manually. Don’t click on any links in the email. Scammers will be taking advantage of this situation and sending fake emails to trick you into clicking malicious links. See what a fake email looks like.
Fortunately, websites owners are responding and fixing Heartbleed quickly. Major sites like Yahoo, DropBox, Twitter, Tumblr and many more are already updated. There are still plenty of sites though that aren’t.
Of course, you don’t have to wait for websites to finish updating; you can change your passwords right now. With so many sites affected, I would change every password you have to be safe. Learn how to create a strong, unique password.
Note:There is some debate about when you should change your passwords. Some experts are saying right away and others say to wait until sites update and tell you to. Given that this has been out there for a while, I say the sooner the better, just to be safe. If a site asks you to update after that, you can always change the password again. A password manager can help you keep them straight.
Since we’re talking about passwords, I should mention another danger that you might not be aware of. Your browser saves every password you type and anyone can see them.Click here to learn just how easy it is to see someone’s saved browser passwords.
I know some people want to avoid visiting any sites that still have the Heartbleed bug. While it won’t make too much of a difference at this stage, these sites can tell you which websites aren’t updated. Just note that the results can be tricky to decipher. My site (komando.com) for example, gets an “uh-oh” or “possibly vulnerable” message because of the way it’s set up, but it was never at risk.
Update: The Heartbleed bug is obviously the focus of a great deal of internet attention right now, and the news, and developments, are fluid. My readers are getting a lot of conflicting and confusing information from these URL checkers. LastPass, for example, indicates a possible problem with Komando.com, though my site was never at risk.
My advice is to change your passwords for now and check back to my blog for news as it comes out from the various major sites. I’ll keep you updated!
If you’re very worried about a site, you can contact the site’s technical support for more details and instructions. Just be patient as many sites are going to be overwhelmed by worried customers with the same question.
In the meantime, check back at my blog for updates as news breaks on this malevolent bug.
komando.com | April 9, 2014 | Kim Komando