My Heart Bleeds: What you need to know about Heartbleed
Guest Blog Entry By Christopher Burgess, CEO Prevendra
Heartbleed, is the name given to the bug which was found within the OpenSSL and has rendered many of our individual passwords compromised. The situation has been making the news over the past few weeks since the bug was discovered in late March and the patch put out in early April.
What makes Heartbleed so important, is the companies who are using SSL (that is the HTTPS in your browser window) all have to make patches to their software, and you as a user have to change your password once this has been accomplished. To help, we’ve compiled some information, which you as an individual user need to know about Heartbleed and the ensuing aftermath of criminal activity surrounding exploiting us as we move through the remediation steps. Let’s start with, “what is Heartbleed?”
What is heartbleed:
Heartbleed was a bug within the OpenSSL code which many organizations and companies used to provide Secure Socket Layer (SSL) connectivity between your computer and the server hosting the website which you were connecting. The bug, located in the portion of the OpenSSL code called the “heartbeat” went undetected for almost three years. Once discovered, a patch was provided by OpenSSL, the U.S. Cyber Emergency Response Team (CERT) provided guidance on how to patch. The role of the individual user was to wait and then change your passwords, as Heartbleed compromised the SSL.
What is being done:
Most companies are patching their servers, renewing their security certificates and advising their constituents via postings on their page to change their passwords, or sending advisory emails asking you to visit the site and change your password (more on this below).
What can you do:
You can be patient and attentive. To prepare you should locate a strong password generator tool, as you will be changing a lot of passwords. Here are two:
Now go to each site where you log-in and check if the site has updated for the Heartbleed bug which rendered the site vulnerable. How can you do that? Use one of these tools.
If the site has updated or is not vulnerable to the Heartbleed vulnerability, change your passwords and use a STRONG password.
What to watch out for:
Now it should come as no surprise to you that miscreants are using this period of high activity and rapid change to slide into the mix and get folks to click and download various items. Phish and Scams taking advantage of Heartbleed are making their rounds. They have been seen as full-on spoofing of your bank – An email comes in ostensibly from your bank, advising you that the Heartbleed patch has been made and now you should “click this link” to change your password. Others come in from friends whose email accounts or social network accounts have been compromised and carry content similar to, “have you read about Heartbleed, you need to read this one to stay safe” and then the reader clicks on the URL link and is taken to a site which contains malware (malicious software) waiting to be downloaded to your device.
Do NOT click on links in passwords or website or social network posts advising you to update and change your passwords – instead – type in the URL directly in your browser window.
Is there more to come?
The Heartbleed vulnerability has been identified and a remedy availed to industry. Some devices which contain the OpenSSL version with the vulnerability are a bit slower to remedy as it may require an update to firmware on the device. These include routers, DVR’s, etc. which many of us have in our homes. Keep an eye on these, and check for the software update feature (regularly) as this is the avenue by which the manufacturer will close the vulnerability.
Stay safe, and secure.
Christopher Burgess
About Senior Online Safety
Read more about online safety and scams at Senior Online Safety – published daily (alternating days in English and Spanish) and Follow along by connecting via Twitter, Facebook, and Google-Plus – Senior Online Safety exists as so many of us are answering questions for our parents, aunts, uncles and grandparents; as it matters not what age we are, if we know how to keep each other safe, we all win.
Christopher Burgess is the CEO of Prevendra, a security, privacy and intelligence company. He is also an author, speaker and advocate for effective security strategies, be they for your company, home of family. Christopher authored the e-book, “Senior Online Safety” (Prevendra, March 2014) and is the voice behind the website, “Senior Online Safety.” Prior to the founding of Prevendra, Christopher held a variety of private and public sector positions, which included, chief operating office of a big data analytic company, Atigeo; Senior Security Advisor to the CSO of Cisco, a Fortune 100, and 30+ years within the Central Intelligence Agency, which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher lives in Woodinville, WA with his family, two dogs and two horses.