There was a potentially serious security breach discovered about 2 weeks ago called Heartbleed. It is “potentially serious” because it seems to be a benign threat in that while it is could have been much more serious, it doesn’t seem to have caused the havoc that was initially anticipated. That does not mean you should sit back and ignore the whole situation. Heartbleed could be used to infiltrate all of your online accounts and cause serious problems if you were unknowingly caught by it.
In this article I want to explain briefly what Heartbleed is, what you should do to protect yourself and then end with an explanation as to why it is important to take the precautionary steps.
What is Heartbleed?
Heartbleed is a server-side vulnerability which could have affected as much as 66% of the secure websites on the Internet. Thankfully, the truth is that only about 17% of sites were actually vulnerable. These are sites that that serve secure content using certain versions of the OpenSSL protocol. Depending on the browser you are using, these are the sites that show either a lock icon or a green security bar indicating that anything you send to and from the site is protected from prying eyes.
What Heartbleed does (or “did” since most of the vulnerable sites have been fixed) is that when your computer exchanges information with the secure website you are using, a third party could request information that is stored in the server’s RAM. Mostly that information is random nothingness. But, it could also as easily be your login credentials, and most alarming, the security certificate of the server. Of course, if your username and password were in the data that was exchange it would be a bad thing—especially if you use the same password at any other site. The bad guys would then have everything they need to pretend they are you across the web. That is why unique passwords are important.
However, the greater threat is if the security certificates of the affected site were captured by the malicious third party. What they could do with that information is set up a rogue website pretending to be a trusted business; for example, your bank. They can then collect usernames and passwords of anyone trying to log into the bank or other trusted site.
Obviously these are very serious problems. On top of the seriousness of this vulnerability, the problem has existed for 2 years. However, it seems that the damage is not near as bad as it could have been. As soon as the problem became public, websites patched their systems to close off the potential threat. Yet, the problem cannot be ignored even though the patch was rolled out within hours of the problem being announced.
What do you need to do?
Changing passwords at the affected sites should be sufficient to protect any further damage. Even though sites have patched their servers, if the vulnerability has been used against you previous to the patch, then the bad guys potentially have your information. If you knew about the problem within the first couple of days of the Heartbleed announcement, you may have seen the recommendation to wait before changing your passwords at some sites. That was good advice then; however, it is now appropriate to change your password at all affected sites. The reason to wait was because changing your password before the site updated their system, meant that your new credentials were then exposed.
Now is the time to change your passwords at any affected sites. Here is a list of very popular sites that were affected by the bug. They have now all patched their servers and you should definitely change your passwords at those sites. Below the list I tell about a tool where you can check the status of any secure site.
Change your password at these sites:
- Amazon Web Services (but not the regular Amazon.com that you use for shopping)
- Google (this includes any Google property: GMail, Google Voice, Google Drive, YouTube, etc.)
- WordPress (this is WordPress.com. If you are running your own version of WordPress on your server, it would depend on your host as to whether you were vulnerable.)
- Yahoo! (this includes any Yahoo! property: Yahoo! Mail, Flickr, etc.)
Again, these are popular sites and certainly not a comprehensive list. There are many tools to check and see if a site was vulnerable. I have used the one at LastPass and find it helpful in telling if a site was vulnerable, if it has been fixed, and whether a password should definitely be changed. Any website you log into should be checked using this tool or a similar one. Especially make sure you check the status of your bank’s website.
Here is a short list of sites that were not affected and therefore do not require a password change: 1Password, Amazon (the shopping site), American Express, AOL, Apple, Bank of America, Capital One, Carbonite, Chase, Citigroup, eBay, Evernote, Groupon, H & R Block, HealthCare.gov, Hotmail/Outlook, Hulu, Intuit (Quicken/TurboTax), IRS, LinkedIn, Microsoft, Mint, Pandora, PayPal, Skype, Target, Walmart.
There is nothing wrong with changing passwords even if the site is not on the list. Changing passwords often is recommended. Make sure you use a unique password for each website. This is easily done by using a password manager like LastPass to keep track of your passwords.
You must remember that even if you use a password manager, they only keep your passwords safe from unauthorized use while the passwords are stored in the locker. But those passwords are still potentially compromised if the site they belong to was vulnerable to Heartbleed. Because Yahoo! was vulnerable, then your Yahoo! account is potentially vulnerable even if your password was stored in a secure password manager. If the recommendation above is to change your password, then change them even if they are in a password manager like LastPass, 1Password or Dashlane.
Why is it necessary to change your passwords?
Here is a worst case scenario for you to consider. Because GMail is affected by Heartbleed I need to change my password at Google/GMail. Thankfully my bank was not affected. However, let’s say that someone compromised my GMail account and got control of my mailbox. They could go to my bank’s website and use the “I forgot my password” link to reset my password. The bank would then send an email to my GMail account with a link in it to reset my password. Because they have access to my GMail account, the bad guys would be able to reset the password at my bank and have full control of the tens of dollars I keep in there.
By getting access to an online email addresses, the bad guys would then be able to reset any password of any account tied to those email addresses. Therefore it is critical to change the passwords on GMail and Yahoo! (or any other online mail accounts) since it is possible to reset any account tied to those email addresses.
The target wasn’t necessarily usernames and passwords initially. But they can be harvested if a server’s security certificate were compromised. If you use the same password at multiple sites and the bad guys know your password, they can try every other website using your email address or username and password to access all your accounts. That is why unique passwords are important and that you change your passwords at any affected sites.
You don’t need to live in fear that the sky is falling, but you do need to change some of your passwords. What I hope does scare you is the scenario I propose because that is exactly where the risk is. I know that changing passwords is not fun (I’ve been working on changing mine too), but it is a simple thing you can do to mitigate the threat from Heartbleed.