Heartbleed - What to do now...

Posted by admin on April 12, 2014

What is Heartbleed?

Heartbleed is a vulnerability found in the OpenSLL software library. When you use a website or service that encrypts information and sends it across the internet (like bank websites, email, social media login pages, etc.) your passwords are encrypted and sent to the server to make sure the information you entered is correct. The encryption makes sure no one can "eavesdrop" on your conversation with the remote server.

The vulnerability comes from a function of the program that processes that encryption. Special packets known as a Heartbeat can be sent to the server, and those packets could be written in a special way that then forces the server to return raw, unencrypted data back to the sender (attacker). There's no way to tell how much data was sent, and to whom it was sent. It's untraceable.

Here's a video that explains it in plain English: http://vimeo.com/91425662

What do I do?

Basically, changing your passwords, ALL OF YOUR PASSWORDS, is the only thing you can do, but before you do that, check to make sure the site on which you're changing your password isn't still affected by the vulnerability. To do this, go to: http://filippo.io/Heartbleed/ and enter the website that you would like to test. If it passes, go to that site and change your account info.

As much as I hate linking to a clickbait website, you can also look at this article from Mashable The Heartbleed Hit List: The Passwords You Need to Change Right Now - They keep the list updated, which is nice, but if I find a more reputable source I'll update the post accordingly.

How do I minimize my risk?

Here's a list of good password practices that reduce your risk in these kinds of situations:

  • Use unique passwords (don't use the same password)
  • Treat your password like your toothbrush. Don’t let anybody else use it and get a new one every six months
  • Use two-step verification when offered. (Here's a video that explains Google's two step verification: http://youtu.be/zMabEyrtPRg)

But I can't remember all of those passwords!

I know it's hard to remember passwords for a bunch of different sites. There are password saving sites like 1Password and LastPass.

I personally don't like the idea of keeping all of my passwords on someone's server, but they have good reputations and haven't had a major security breach (yet)

Try creating passwords that are easy to remember but hard to guess. XKCD has a humorous, but accurate comic about coming up with passwords that would be harder for a computer to crack, and easy to remember: http://xkcd.com/936/

There's even a password generator that will pick random words and separators for you: http://correcthorsebatterystaple.net/

If you assign your own little bit of simple cryptography to add variation to a common password you use between sites you can come up with a random, secure password that's easy to remember. For example:

Let's start with the password: Motherhood-Equal-Apply

And say you have a google account, if you assign numbers to the first three letters of the URL, let's say a=1, b=2, c=3, etc. you would come up with g=7 and o=16

Now implement that into your password: Motherhood7Equal16Apply16

When you change your password, you can create a new set of words, or just shift the numbers (so now a=2, b=3...)

 Conclusion

If you follow best practices for password changes and complexity, if a single account gets compromised, it would still be difficult for an attacker to gain access to other accounts (unless they got into your email account)

While passwords are a major concern for Heartbleed, that's not the only data attackers can get. They can get SSN's, credit card numbers, etc. So be sure to keep an eye on your credit report and credit card and bank activity. A lot of banks offer identity theft protection, you may want to discuss that with your bank.