How to Protect Yourself From the Heartbleed Bug
Have you heard about the newest bug that's got the tech world pulling at their hair and on the verge of tears? It's bad. Very, very bad and appropriately named "Heartbleed."
Panicking won't do any good, but being cautious will. Some experts predict that this bug could affect around two-thirds of all websites. Two-thirds is a big number so the chances you or someone you know will get caught in this tangled web are pretty good. I'm not trying to freak you out, but I don't want to sugar coat it either.
Yesterday, the website Mashable suggested you should immediately change your password if you use: Facebook, Gmail (or other Google services), Tumblr, Yahoo mail
GoDaddy, Intuit (TuboTax), Dropbox, LastPass, OkCupid, Soundcloud and others. But here's the bad thing: if an affected website or service hasn't patched the problem yet, your information will still be vulnerable. Pretty much the bug is just looming in the background waiting to pounce on your new passwords.
With the Heartbleed bug, there are four types of data that can be grabbed by the bad guys. According to Time, they are: "encryption keys; user info like passwords and usernames; “protected content” such as email messages, instant messages, credit card numbers and more; and “collateral content” such as data and code used to make the website function as intended."
So what can you do to protect yourself short of shutting off all your devices and vacationing on a deserted island until this bug is squashed?
If you’re about to log into a particular site, visit this site first: Test your server for Heartbleed (CVE-2014-0160) and pop the site's web address into the search box. The link will tell you if the site you're looking up is still vulnerable or not. Good news, I entered in the Hawk's web address and we're good. Whew!
If a website you visit every day is NOT affected, now would be a really good time to change your password on the site (if you use one) just to be on the safe site. For instance, as I write this, Facebook has no threat, so I logged in and changed my password.
However, and this is a big one- if the website address you typed in shows a breach- do NOT change your password. Remember that part I told you about changing it having no affect because the bug will just grab your new password? So, I typed in "LinkedIn" and got a message that read " Uh-oh, something went wrong: write tcp 18.104.22.1683: broken pipe. It might mean that the server is safe, we just can't be 100% sure!" Obviously since there's a chance that the sight might be breached, I did NOT change my LinkedIn password.
The other thing we need to do is remember to have patience. This bug is wreaking havoc on so many, many websites and IT people are scrambling to fix the problem. It's not going to happen overnight for most sites, especially the smaller ones, so we just have to wait it out. Better to have patience than to open Pandora's box, right?
There's a lot of research being done on the Heartbleed Bug and that means info on how to deal with it could change as more things are learned, but if you feel like investigating what's going on a little more, CNet and Reuters are great places to start.
4/11/14: I just received an email from McAfee which stated in part: " McAfee is currently in the process of auditing all of our services, and the services provided by our partners, for any dangers posed by Heartbleed. If there is any instance that the vulnerable version of OpenSSL is in use we will remediate with the utmost urgency. The severity of the Heartbleed vulnerability cannot be overstated: several major enterprises use OpenSSL, and are likely affected by this vulnerability as well. The dangers posed by this vulnerability are very real and could affect you if exploited."