As a result of a bug in a major security protocol that was identified this week, millions of email addresses, passwords, credit card numbers and other personal information may be at risk.
At this time, it is not know how much damage was caused by what is now known as the Heartbleed bug (Learn more here.) This bug was part of the popular OpenSSL cryptographic software library, which is used by the SSL/TLS encryption that is used to secure the Internet. This is the software behind the https:// protocol and the little lock icons that we have come to rely on to keep us safe online.
Much of the work needed to fix this problem is out of your hands. As a result, patience and understanding are called for as the security and technology communities work to implement a fix, both in the short term and in the long term. The repercussions of this bug will be felt for a long time.
Here are some things that you can do right now to protect yourself:
1. Be patient. You might be tempted to go change all of your passwords right now. Don’t. If the website hasn’t implemented a fix yet, your shiny new password would still be vulnerable.
2. Check your favorite websites with this free tool: http://filippo.io/Heartbleed// Many websites were never at risk — gmail for example — and many have already implemented fixes. I ran all of the websites that I routinely login to that I could think of and didn’t find a single one with an issue.
3. Watch for notices from your service providers. Any service provider that was using a vulnerable version of the code will be on the lookout for uses of their data that indicate they were compromised. If they discover your information was stolen, they will let you know. AND they will let you know what to do about it. It is important that you follow their advice in a timely manner.
4. Look out for spoofed websites or emails. Even after this bug is fixed, hackers could still take the faulty code and create a copy of a well respected and trusted website in order to gather user information. Or send spoofed emails with scary language about the bug and ask you to login to change your password or verity your information. The best defense against this tactic is to pay attention when you are online. If a site looks different, or odd, it’s best to not enter any personal information. If it’s a business you regularly do business with — bank or credit card — call their customer service number to verify the site is legitimate or use a link that you know if valid. When it doubt, err on the side of caution and don’t make that purchase or login. Your transaction can wait.
5. Sign up for Passpack.com. With so many passwords to remember, it can be tempting to resuse the same password across many websites. This tactic leaves you particularly vulnerable to hackers because they only need to obtain your password from one site in order to use it to gain access to all of your accounts (Dropbox.com had a security breach last year as a result of an employee reusing a password elsewhere.) The best password management tool that I’ve used is Passpack.com. It has many benefits, including being free for most people.
The Heartbleed bug is scary and will change the Internet forever. But that doesn’t mean there is cause for panic. With the nature of the Internet, security vulnerabilities will always exist and we need to remember this. However, when all of us — developers, security professionals, and the general public — work together, we CAN keep ahead of the hackers and continue to enjoy the benefits of the Internet with little personal risk.