Over the past few days concern has been growing among website administrators and users about the effects of a security flaw, nicknamed Heartbleed, which left a gaping hole in the security systems of hundreds of thousands of computer systems around the world.
Some of the concern is well founded, but other aspects have been driven by hyperbole, hysteria and misinformation.
Will Goodbody differentiates facts from fiction
What is all this talk of SSL and Heartbleed all about?
Earlier this week it emerged that a significant flaw had been identified in the security software that keeps much of the traffic between computers that make up and use the internet safe. The flaw was found in a freely available and very widely used open source software package called OpenSSL. The software works by sending an encryption key to the computer being used by new visitors to the website. Once the key is received by the visitor, every piece of information subsequently sent between the computer and the server is then protected. You know it is operating, because a padlock symbol is displayed on the web browser you are using.
So what?
OpenSSL is hugely popular, and is estimated to be installed on a staggering 500,000 servers, running two thirds of the world’s websites. The flaw has also been there for more than two years, before it was spotted recently by Google and small security company Codenomicon. In theory during that time, any cyber criminal who discovered its existence could have exploited the vulnerability to their own ends, without being detected. Because one of the most worrying aspects of the flaw is that exploitations of it can’t be detected.
What does that mean for my data?
What OpenSSL does is protect against so called “Man in the Middle” attacks, where information being exchanged between servers and computers can be monitored and stolen. So in theory, anyone who managed to exploit the Heartbleed bug could have stolen usernames, passwords, financial information, or anything else sensitive sent by a user to an effected web server, and vice versa.
Oh. So my personal data may have been stolen then?
Potentially, anyone who was connecting to a web server running this particular flawed version of OpenSSL over the past two years was vulnerable. However, so far there is no hard and fast evidence to suggest that data has been compromised. Also, contrary to certain reports, security experts say exploiting the vulnerability isn’t as simple as some would make out. And some servers that had the flaw also had other systems in place that meant they remained safe. That said, the reality is unless hackers who stole data by exploiting the bug published it on the internet, as they sometimes do, it wouldn’t be apparent that it had been compromised.
So I should change my passwords immediately then?
This is where much of the confusion is arising. Some websites, like Tumblr, and some experts came out quickly and advised people to change all their passwords immediately. The problem with this is, however, if you change your password before individual websites have had a chance to patch the flaw and update security certificates – a simple but time consuming process – all you are doing is potentially giving your new password to hackers. So the best advice is to check some of the lists and tools that are being regularly updated online to see which websites are vulnerable, and which have been fixed. If you use any of those websites, and have a username and password for them, it would probably then be prudent to change your password. In the meantime, until they are patched, it may be advisable to steer clear of using them.
I use the same password for multiple websites, what do I do about that?
Although it is a real pain to have different passwords for different sites, it is really bad security practice to use the same one across multiple sites. And the problem is if you use one site that has been affected by Heartbleed, there is a chance that a criminal has your password, which you also use on sites that aren’t affected by the flaw. In that case you should probably change all your passwords once you are sure the websites are patched and safe, and make all the new passwords different.
What about my other personal information?
In the wake of the problem it would be very prudent to keep an eye on your credit card, online banking and other online payment service accounts. Just in case someone has recently or previously exploited the flaw to steal your personal information. Also, be aware that some criminals are already using the hype and confusion around the flaw to try to trick internet users into parting with their personal information. So be wary of unusual emails, particularly those that seek password or others sensitive information. Check to see are they coming from a reputable email address, and look on the website of the company they purport to come from to see what they are saying.
Is anything else I use vulnerable?
It’s reported that other computer hardware and software like routers, email systems, and even mobile phones could be vulnerable. So watch for any software updates that service providers are offering in the coming days and weeks, to ensure everything is up to date and safe. PCs do not use the technology though.
Any other advice?
Although it probably wouldn’t have made a significant difference in this case, good password practice is vitally important in protecting yourself online. Passwords shouldn’t be predictable or repetitive. They should contain, where possible, a mixture of upper and lower case, letters and numbers, and symbols. Don’t be tempted to use words that are linked to you personally or full words, which make things a lot easier for hackers.
