Heartbleed is the popular name of a security vulnerability that is generating a great deal of excitement. A bug in OpenSSL software – used by 500,000 widely used web sites for security and privacy – might allow a hacker to steal passwords or other confidential information.
There are two things you need to know about Heartbleed. Both of them are true. Your reaction will depend on how you weigh these two things.
(1) This is a deadly serious security vulnerability that requires hundreds of thousands of companies big and small to patch their web servers. There are endless articles in the media urging you to change your passwords for web sites that might have been affected by the security issue. That advice is meaningful and important.
If you’re paranoid about online security, follow the advice that you’ll see all over the web about changing passwords. You will likely get email messages urging you to change your password on affected sites where you have an account. Vulnerable sites that are now patched include Google, Facebook, Yahoo, Tumblr, Netflix, Reddit, Yelp, GoDaddy, Dropbox, and many more. Change your password after confirming that a website has installed the OpenSSL patch.
(2) As of today, a week later, there is no evidence whatsoever – zero, nada, none – that any bad guy exploited this vulnerability before companies began to install the required patch that fixes it. Nothing is certain but as far as anyone knows, no passwords have ever been stolen by a bad guy as a result of this bug. Passwords don’t have to be changed if they haven’t been compromised.
If you think that sometimes security threats are exaggerated by the media and security experts because it’s a reliable way to get attention and generate online clicks, you might want to sit this one out unless new information comes out making it necessary to react. This is a huge problem and the companies running affected web servers are quite right to panic, but for a change the hard work of installing patches falls on them and not on you.
Personally, I haven’t rushed to change any of my passwords.
Want to improve your online security? Don’t react specifically to Heartbleed. Instead, do the things that you’ve been putting off: eliminate duplicate passwords (the ones you use over and over on multiple websites); set complex passwords on the important sites – banking, shopping and services holding important data; and start to use LastPass or a similar password manager.
Click here if you want more details about the Heartbleed bug. It’s the result of a mistake in the code used by two-thirds of the websites in the US to keep your visits secure. The bug has existed in the code for two years but as far as we know it was only discovered very recently and it was not disclosed publicly until a week ago, when a patch had already been prepared and begun to be implemented. There is no evidence that it was known to the bad guys before last Monday. Late last week Bloomberg published anonymous reports that the NSA had known about the bug for almost the entire two years and used it to harvest passwords; the NSA issued flat denials, but of course it would, wouldn’t it?
Here are a few more facts that small businesses and individuals need to know about Heartbleed.
• Small businesses running Microsoft servers are not affected by the Heartbleed bug and do not have to install emergency patches.
• CNET has a chart showing the status of the top 100 websites in the US – “was not vulnerable,” “vulnerability patched – password change recommended,” or “awaiting response.” Use it as a resource if you are changing passwords.
• LastPass is not affected by this bug. It has far more security layers than most websites. More important, though, is the fundamental architecture of LastPass: it never gets your master password and it never has a decrypted copy of your passwords for other sites – period, end of story. Your master password is not sent to LastPass’s web server when you type it in on your screen; LastPass gets only an encrypted blob. Bad guys cannot learn your passwords by hacking into the LastPass servers because the LastPass servers do not ever have the master password required to decrypt your data. There’s more information here from LastPass about Heartbleed.
• LastPass users should click on LastPass / Tools / Security Check. You’ll get a list of sites from your LastPass Vault that were affected by Heartbleed and advice about whether to change those passwords, plus other useful things to check – sites where you’ve used the same password, passwords that aren’t very complex, and more.
Be careful out there!
So nice to have BruceB watching our backs! Thanks for the always practical and ever reasonable advice. I knew you’d have something intelligent to say on the subject.