What is The Heartbleed Bug?
This leak or vulnerability is found in a part of the programming code called OpenSSL, a free open-source software companies use to encrypt or secure your Internet connection to their services. Think of encryption as a secret language between two computers where only your computer and the bank`s computer (for instance) has the keys to decode each other`s information.
For anyone who has logged into their Facebook or bank account you will always notice that the address starts with https (the s standing for secure) along with a highlighted padlock next to the website address indicating that the data transferred from your computer via the Internet to its destination is encrypted and safe from anyone being able to read or capture it.
So what would happen if this layer of encryption had a vulnerability or bug in it that could be exploited? What if your banking`s login information were suddenly accessible by malicious people? And what if this bug went completely undetectable for years? Well, enter the Heartbleed bug.
When And Who Discovered It And Who Is Affected?
This vulnerability was discovered sometime early last week by members of Google`s security team as well as other independent engineers and as of Friday past it was finally confirmed that lots of private information can be accessed or intercepted by someone else during a secure connection online. It was also determined that this bug has been left in this code, and hopefully for our sake, undetectable for almost two years.
With this in mind, it would be then safe to say that Heartbleed could be the biggest and most widespread security vulnerability in the history of the modern Internet mainly because this type of encryption (OpenSSL) runs on about 66% of all Internet servers around the world. Companies affected like Google, Yahoo, and even the Canada Revenue Agency temporarily shut down some of their services to patch this problem. It`s unfortunate for the CRA since this could not have come at a worse time as they are ramping up their tax-filing season giving Canadians much apprehension about filling their taxes electronically.
Be that as it may, about a week later it does seem like most companies affected have taken the necessary steps to patch this security issue. So, after the smoke has settled many people have many questions.
How Can I Feel Secure Online After HeartBleed?
If you look at this from a global consumer perspective the Heartbleed vulnerability and possibility others to follow will have no real ‘one-click’ fix for people who use secure mobile or online services. Because computer programs are written by people, you are naturally going to get bugs and errors in its code. Even though this bug or error in code was checked over by many people (because it is open-source) it was still missed for two years.
So now more than any other time, we have to be much more vigilant every time you are online. It means that every time you go to a website where you have to login you need to think to yourself “what information am I giving up for this service”? It just reaffirms that security problems like this go hand-in-hand with the convenience of using online services. Be that as it may there are several steps you can take to ensure you are secure:
1. Use a non-dictionary password. For instance, use a password that has both uppercase and lowercase letters, include numbers and symbols.
2. Change your password frequently. For most people, myself included, this is difficult especially if you have many accounts. And so I would recommend a software program called ‘LastPass’ (www.lastpass.com) and 1Password (http://agilebits.com – Mac only) to generate and remember all of those hard-to-remember passwords. LastPass is free, available on all popular operating systems (Windows, Mac, and Linux) and can be installed as a web browser plugin. It is compatible with all the most common web browsers currently being used and it can also work on your mobile device. It will run when your browser opens and anytime you login to an online account it will store that particular username and password so that any additional visit to that site LastPass can automatically input the login information. To secure all of your accounts in LastPass and have this plugin essentially auto-login you will just need to set and remember just one master password. Remembering only one very strong password is much more acceptable for most people.
3. If available, use ‘multiple-factor authentication”. Companies like Apple and Google have recently made available ‘multi-factor authentication’ whereby a user has to provide two or three means of identification before they are able to login, change account information, or even create an account. For Apple and Google that would mean using your username and password along with getting a passcode via a text message in order to access or change your account information. According to proponents, multi-factor authentication could drastically reduce the incidence of online identity theft, phishing, and other online fraud because the victim’s password would no longer be enough to give a thief access to their information.
4. Call or check the website or social networking feeds (Facebook/Twitter) of the institutions you are logging into to see if they have already posted any information about this vulnerability. Being transparent about this type of security vulnerability is a good sign that companies are investing their efforts into keeping your data safe and secure.
Heartbleed has the potential to be a crippling security bug and so for the past week most companies affected by this have been updating their version of OpenSSL, testing it to make sure it is not an issue anymore.
Resources:
https://lastpass.com/heartbleed/
This site will allow you to type in an address and it will check to tell you if that site is vulnerable or not.
https://www.lastpass.com: (LastPass)
This site will allow you to download and install the web browser plugin LastPass which can be used as your secure password manager. This software is cross-platform meaning it can be installed in multiple browsers and on multiple operating systems. In addition, all of your secure information can be synced as well.
https://agilebits.com/ (1Password)
This website will allow you to purchase and install a Mac-only password manager
https://www.grc.com (Gibson Research Corp.)
A very good website that provides many free security checking tools to ensure your computer and it’s connection is secure and safe.
Leave a Reply