By now, you’ve likely heard of something called “Heartbleed” that the entire internet has been panicking about. What is Heartbleed? In short, it’s a backdoor into the popular (around two-thirds-of-the-internet popular) OpenSSL security software. What’s scariest about this vulnerability is that, in addition to being unnoticed for two years, it exposes encryption keys, giving attackers the ability to “unlock” the passwords and names of users, as well as the actual content.
Unlike other recently publicized data breaches, this was discovered by security researchers through routine maintenance rather than from an attack.
What should you do? Certainly, if your organization uses any of the affected sites or services, change your passwords. However, if the site or service affected has not yet installed the latest OpenSSL patch, changing your password won’t be very effective yet. It’s worth using this tool to check if the site has been patched yet before going to change your password. You should also consider using it to discover if your organization’s site was affected, if it is still vulnerable, or if it has been fixed. While you only need your website URL to check, it doesn’t distinguish between your site being fixed or having not been affected in the first place. For more detail, it could be worth checking with your hosting provider to see if your site was vulnerable, and if so, if they have corrected the issue.
This bug is yet another reminder to practice good online security best practices:
- Use strong passwords. You should use at least 8 to 12 characters, with a mix of uppercase and lowercase letters, numbers, and special characters.
- When available, use two-factor authentication. Two-factor authentication supplements a password with a secondary means of confirming user identity, typically by sending a randomly-generated code to the authorized user via text-message. This way, even if someone else has discovered your password, they would still need your phone to complete the log-in process.
- Change your passwords regularly. Typically, try to change them about every two months. Many services, like Salesforce, mandate these password changes.
- Use different passwords for everything. If you use the same password for Facebook, Gmail, and other services you use, and one of those is breached, you’ve essentially handed out the keys to every aspect of your online presence.
For a more detailed explanation of the bug, you can read the Heartbleed FAQ here.
For a list of major services where a password change is recommended, Mashable has a thorough list here.
The webcomic XKCD recently posted a demonstration of what Heartbleed does in cartoon form…