Safety belts, helmets, passwords…we try and try to stay safe, but the safety of some things, such as our online data, is sometimes completely out of our hands. This was recently made painfully clear, when the World Wide Web got completely blindsided by a critical vulnerability that affected secure online communications throughout the UK and the rest of the world.
What is the Heartbleed Bug?
Adequately named “Heartbleed,” the digital bug has been foraging data in the wild for over two years now. The bug is used by hackers to exploit an OpenSSL critical programming flaw, allowing them to access usernames, passwords, and other critical information regarding millions of identities and accounts across the UK and around the world.
When the OpenSSL flaw is exploited, data is leaked from the memory of a server. According to Codenomicon, the Finland-based security firm that discovered Heartbleed along with a Google researcher, leaked data may include usernames and passwords, SSL site keys, email addresses, and files.
Due to the popularity of OpenSSL with webmasters and website administrators, thousands of websites may have potentially been affected. Netcraft, an Internet research and security firm, estimates that the Heartbleed bug has affected approximately half a million trusted websites around the world.
On his blog, security expert Bruce Schneier said, “On the scale of 1 to 10, this Heartbleed is an 11.”
Okay, so we know that this is a serious bug that has almost certainly affected one or more of your online accounts. Now, let’s take a look at some practical ways to remain safe in light of this widespread threat.
Change Your Password, But Not Too Soon
Heartbleed makes it possible for unscrupulous online hackers to access your username and password from any number of sites, and your password definitely needs to be changed for any sites that have admitted they were affected.
However, here’s the caveat: While a fix for OpenSSL is available, it does absolutely no good to change your username and password if a site has yet to patch its servers. In fact, changing your username and password may actually make matters worse.
“You should change password after the service provider has patched their site. Otherwise you just contribute to the data that can be stolen,” said Codenomicon’s Ari Takanen.
Take a Breather
By now, most sites have already patched their servers. However, you can find out if a site you frequent is still affected by using Qualsys, LastPass, or another online checker.
If you find that one of the sites you often visit remains affected by Heartbleed, Codenomicon recommends not visiting the site for a day, because the vulnerability only exposes recent data that is stored within a server’s RAM. Unlike a database break-in, your data needs to be stored in the memory of a server when it is attacked in order to become exposed.
This is the primary reason why prematurely changing your username and password before a site has been patched may actually be worse than not doing a thing, especially since Heartbleed has become public knowledge.
Implement Two-Factor Authentication
Security threats like Heartbleed are an ideal time to brush up on the best ways to boost the security of your online accounts. One of the best security measures you can take is the use of two-factor authentication, which requires the use of an extra code before being granted access to your online accounts.
While two-factor authentication may not have been an ideal defense against Heartbleed, it is generally viewed by online security experts as an extra step that will help ensure the safety of your online accounts.
Use a Password Manager
If you are not using a password manager, now is as good of a time as any to begin, especially if you plan on changing some of your user logins in the next couple of days. A password manager allows you to easily generate random passwords from combinations of numbers, letters, and other characters. It also allows you to regularly change your passwords without having to memorize a laundry list of complicated codes.
There are numerous password managers available to choose from, but Dashlane and LastPass are some of the most popular. In a recent blog post, LastPass admitted it was using the OpenSSL version that was affected by Heartbleed. However, the company said users were not affected because it encrypts the data prior to transmitting it online.
Heartbleed is a nasty bug that should be taken seriously. If not, your finances can be turned upside down in no time at all. However, considering it has been running rampant for the past two years, there is not much you can do now but wait until affected sites patch their servers before going ahead and changing your passwords. Once they are patched, you should change your passwords and take extra precautionary steps to ensure the future security of your online accounts.