Heartbleed: It’s time to change your passwords
If you think you aren’t affected by the super hyped Heartbleed bug, you really need to keep reading. And you definitely should change your passwords, immediately. Even Facebook and Twitter use OpenSSL, and they are the among the most used websites on the internet! So basically, OpenSSL is a part of your life as long as you are using internet.
What is the Heartbleed bug?
Quoting from the official website:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
In simple terms, encryption makes your data unreadable to the outsider. Without the key, the data being sent looks like nonsense to anyone without the key. And OpenSSL is used by majority of websites, to store the data and the keys.
Going into the details, hackers can download your username and password without leaving any trace of the activity. OpenSSL powers over 60% of the websites on the internet. The Apache Web Server which powers over 50% of the website on the internet, uses OpenSSL. OpenSSL has a previously known bug, which is termed Heartbleed, that allows a hacker to download all the sensitive information from the website without any trace in the logs. Since this bug leaves no trace, there is no possible way to determine how much or what data has been compromised.
Again, from the official website:
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
A well respected security expert, Bruce Schneier says on his blog: “On the scale of 1 to 10, this [Heartbleed] is an 11”. While OpenSSL has already released a fixed update to take care of the issue, changing your password may not necessarily protect you from the vulnerability. Changing your password before the website fixes the issue will achieve nothing, so you might as well wait for them to patch it up, and then immediately change your password, everywhere.
While the bug has been around for almost 2 years, it was publicized on Monday. By now, a lot of website must have updated their OpenSSL and you can probably go ahead and change your password. I have received emails from Incapsula, Bitnami and IFTTT about the security update and a request to change the password.
Mashable has compiled a list of all the major websites affected (or not affected) by the bug, with the necessary actions outlined.
What you should be doing?
Change your passwords on all major sites, after you receive an update on the fix. The Mashable list can come in handy here. Even if a website claims that its servers were not affected, you never know. Remember, the hackers left no trace (if there were any). And it’s always better to be safe than sorry. And if you are using the same password everywhere, you must change them all, to different ones! Use a password manager like LastPass if you have a difficulty remembering them. Just to mention, LastPass has added the patch, and also offers a new tool to show you which of your supposedly secure online accounts are at risk of being compromised by the bug.
And if you already use the browser extension for LastPass, you are at and advantage. Just tap on the LastPass icon, and go to Tools > Security, and voila! You will be presented with a list of all the passwords saved with LastPass, how old they are, which websites are affected by the bug, and which passwords should you change immediately.
Which passwords should you change?
Start with the Mashable list, and the LastPass security check. But just as a precaution, change passwords of all your financial accounts, all the emails you are currently using, your social networks and if possible, anywhere important where you signed up. If this seems like an impossible task, again, use a Password Manager!
Use two step authentication for every site that offers it. If you are unsure about any website, use this tool to check whether it has been affected by the bug or not.
Ultimately, you are going to have to change majority of your passwords, but make sure you do it after you are notified of the fix by the company. If in case there’s no notification for a while from any company that may contain your private data, reach out and inquire about the status.
The Tor Project goes to the extent of saying that users might consider not using the internet altogether for a while. While this is not completely necessary, you gotta be smart and protect while you can. Also, as on CNET, Yahoo is among the major providers that has been affected by the bug, and users are encouraged not to login to their accounts altogether. Google, Facebook and a few major companies had tested their servers for the bug when the bug was initially discovered.
If you are still curious, head out to the official website and check the FAQs. For the non tech folks, follow the instruction above, and stay safe!
On a lighter note, xkcd has come up with its latest comic on heartbleed!