Heartbleed – Take It Seriously

Folks, most of you know my day job is in IT, and in part I’m managing hosted environments for well over a million users worldwide. So a big part of my day today has been spent learning about Heartbleed. If you use the Internet, you need to learn about it too.

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

In other words – your email, your online chats, your Facebook, your credit card numbers, your Bitcoin stash … your everything.

From security expert Bruce Schneier – “Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.

So, what should you do? The Atlantic has a good summary.

  1. Change the passwords for the handful of sites that really matter to you. I’ll explain how you can do this in a total of ten minutes or less. Thisprobably isn’t necessary, but just in case…

  2. Do not ever use the same password at two sites that matter to you. Ever. Heartbleed or not, this lowers the security level of any site with that password to the level of the sleaziest and least-secure site where you’ve ever used it.

  3. Use a password manager, which can generate an unlimited set of unique, “difficult” passwords and remember them for you.

  4. Use “two-step” sign-in processes wherever they’re available, starting with Gmail.

  5. Read what happened in our family three years ago, when one of our Gmail accounts was taken over by someone in Africa, if you would like a real-world demonstration of why you should take these warnings seriously. It’s from an article called “Hacked.”

 

 

 

 

3 thoughts on “Heartbleed – Take It Seriously”

  1. Personally I regard clouds as pretty nebulous things. I prefer to keep all my important data and email on my own hard disc and back it up to other physical media under my control. But clearly cloud storage is the way the big players want to push everyone.

    1. If that’s your comment then excuse me but I have to say that you’re not understanding the issue here. Here’s one example that might affect you. I see you are using an internet mail service. You have a problem. Have you ever put confidential data of any sort into an email you have sent out? You have a problem. Your password for your webmail service, do you use that same password for any other web sites? You have a serious problem.

  2. I agree with you there, Spike. But how many people handling confidential data by email (i.e. bankers, fund managers, accountants, doctors, judges etc) have you ever seen using email encryption. In my experience – NONE! They all seem to think that because they’ve got SSL enabled mail that it is somehow encrypted. I’m shocked at how lax these people are. It’s not bloody difficult really.

Comments are closed.