NOTE: McAfee has released a Heartbleed Checker tool to help consumers easily gauge their susceptibility to the potentially dangerous effects of the Heartbleed bug. You can access the tool at: http://tif.mcafee.com/heartbleedtest
Many of you may have been hearing the term “Heartbleed” over the past few days and wondering what exactly that is, and why people are so concerned about it. Well, Heartbleed is the name of a major security vulnerability that may affect nearly two-thirds of websites online. It’s a severe situation potentially exposing your login information—your username and password—and other sensitive information about you.
What is Heartbleed?
It is important to understand that Heartbleed is not a virus, but rather a mistake written into OpenSSL—a security standard encrypting communications between you, the user, and the servers provided by a majority of online services. The mistake makes it viable for hackers to extract data from massive databases containing user names, passwords and other sensitive information.
What Should I Do?
The first thing you need to do is check to make sure your online services, like Yahoo and PayPal, have updated their servers in order to compensate for the Heartbleed vulnerability. Do not change your passwords until you’ve done this. A lot of outlets are reporting that you need to do this as soon as possible, but the problem is that Heartbleed primarily affects the server end of communications, meaning if the server hasn’t been updated with Heartbleed in mind, then changing your password will not have the desired outcome.
How Do I Check For Heartbleed?
Mashable has a list of popular websites affected by the Heartbleed vulnerability. You can view that list here, but keep in mind that this list is not comprehensive. If you’re concerned that a website you frequent has been compromised, you can check by using McAfee’s Heartbleed Test Tool. If a website pops up as compromised, that means its hasn’t been updated and that you should wait to change your password.
Services, too, ought to be sending emails to you over the next few days telling you they were affected by Heartbleed and have since updated their servers. When you get these emails you should go and update your password. But beware: this is a prime time for phishing attacks—attacks which impersonate services in order to steal your credentials—so be extra careful when viewing these messages.
You can detect a phishing attack by poor grammar, suspicious graphics that don’t quite fit the company, and emails asking you to enter your password and username. Some services affected by Heartbleed will have automatically logged you out. Some may have provided you links to change your password. In order to protect yourself from phishing attacks, do not click on those links. Instead, manually head to the website yourself, log in and then change your password.
A Deeper Look at Heartbleed
To understand what Heartbleed does, we need to explain what SSL is, and by extension, what OpenSSL is and what it does.
SSL is shorthand for Secure Sockets Layer—a security standard allowing information to be securely transmitted between you and a service without the threat of a third party intercepting information. OpenSSL is simply an open-source (read: non-profit) project updated and maintained by volunteers with the input of a knowledgeable community of programmers.
For SSL to work, your computer needs to communicate to a server. To do this, it sends out what’s called a “heartbeat.” What a heartbeat does (other than fathering the name of this vulnerability) is send a specific signal to a server in order to see if that server is online. If the server is online, it sends that signal right back to your computer, allowing you to enjoy secure communications. Both your computer and the server send out heartbeats on regular intervals to make sure both you (the user) and the server (the service) aren’t offline.
Heartbleed takes advantage of this “heartbeat” by sending a malicious heartbeat signal to servers. That malicious heartbeat essentially tricks the server into sending a random chunk of its memory back to the user who sent the malicious heartbeat. Contained in that memory can be a random collection of email addresses, usernames and passwords. Some of those credentials, worryingly, could belong to the company managing that server. This provides hackers with a way of accessing and exploiting information throughout the Internet.
The severity of this vulnerability cannot be overstated. Major enterprises regularly employ OpenSSL, which was traditionally considered to be one of the most secure means of transmitting data. Again, the best thing you can do to protect yourself is to determine which sites you use are affected (through one of the tools listed above), and change those account passwords.
Here are some tips for changing your password:
- Create unique passwords for every site you use. Every password you use should have a minimum of eight characters containing letters, numbers and symbols. Each site should have its own unique password. Try not to duplicate passwords on multiple sites. This is the bare minimum.
- Use a password manager. Using a password manager is becoming less a matter of convenience and more a matter of security. It’s difficult enough to remember if you locked your door this morning. Remembering unique passwords for every site is nearly impossible. Password managers can do this for you. Additionally, they can protect you from malicious software that records your keystrokes and, by extension, your password.
- Enable two-factor authentication. Two-factor authentication is a security technique that requires you to have something you know, like your password, and something you possess, like your phone. Not all websites have this security technique in place, but if they do, you should enable it. It’s an effective way of protecting yourself from being hacked.
Again, this vulnerability’s severity cannot be overstated. For the protection of your data, you need to assume that your credentials have been leaked through Heartbleed and change your passwords accordingly.