What to do about the Heartbleed bug

by
Play

The Heartbleed bug has been in the news for about a week now so you have probably heard about it, even if you don’t know exactly what it is or what it means for you and your computer security.  Today we’ll break it down into simple terms, as well as some recommendations about what action you need to take.

Heartbleed bug

credit: heartbleed.com

 

Heartbleed is not a virus.  It’s not something that was created by someone with intent to defraud or infect your computer.

What it is is a flaw in the security process that a lot of websites use.  That technology is called OpenSSL.  It’s what websites use to transmit information securely – such as passwords and other private information.

What happened about a week ago is that the security flaw was made public.  However, it has been in existence for a little over 2 years.  Have the bad guys been using it for all that time?  There is no way to tell.  To be safe, it’s best to assume that the hackers have known about it for a while – more about that in a minute.

With a little piece of software (that is now widely available in the “bad neighborhoods” of the internet), a hacker can go to a vulnerable website and extract a small amount of private information such as user names, passwords, even the website’s own security information.  Even though they can only get a little bit at a time (64k to be exact), they can do that over and over and over.  This means that as long as the website is vulnerable, the bad guys can continue to get more and more private data from it.

A lot of websites have updated their security software and fixed the problem.  In fact, you may have gotten email from websites where you have accounts, telling you how they are handling it.  That’s good for the future, but that does not help the past.  Your user name and password may have already been extracted, perhaps multiple times by different hackers.

What should you do?

Your first priority is to change your password – but not necessarily for every website where you have an account.

Why not?  Here’s why not: not every website has updated itself to be secure yet.  If you have an account at a site that is still vulnerable, and you change your password now, it doesn’t really do much good.  You’ll just have to change it again when the site is fixed.

So you need to check and see if a website has updated itself, and if it has, change your password.  And change it to a GOOD ONE.  This is a good password:

  • does not contain any pronounceable word
  • consists of upper and lower case letters, numbers and characters
  • is at least 12 characters in length (longer is better)
  • is NOT a password you have used at any other website

Whenever I tell people those guidelines, the first reaction is “But I’ll never remember that!”

That’s good!  If it’s hard for you to remember, then it’s hard for a hacker (or software) to guess.  That’s why you need LastPass.  It will not only create those good passwords for you; it will also remember them for you.  And it’s FREE.

That link in the previous paragraph goes to a full review I did of LastPass, so you can see how it works and what it does.

Here are a couple other big benefits LastPass offers:

First, you can go to a particular page they have set up to check and see if a website has updated its security, or if it is still vulnerable to Heartbleed.  You can find that here.

Second, when you have a LastPass account, you can run a security check on your own passwords and it will tell you which accounts are vulnerable, which ones you should go ahead and update your password, and which ones to wait on for now.

For example, I use Dropbox.com.  They just updated their security, so now is the time to go and change my password (which I have done).  However, another website – Imgur.com – has not yet updated so I won’t change that one yet.

Do not put this off.  I know it’s a hassle, but it has to be done.  Change the passwords that need to be changed.

I want to address one more issue.

A majority of the people I meet with for the first time are in the habit of using the same password (or 2 or 3 passwords) for every account they create.  I really encourage you to NOT do that.  I understand WHY you do it, because it’s so convenient.  Heck, I used to do it myself before I realized the danger of it.

You might not think it’s that big a deal.  But imagine this scenario:

Let’s say you use the same user name and password everywhere.  For example, your user name is always snowmanguy@aol.com and your password is sparky1.  You have lots of online accounts with this login information, including an account at Walmart.com.

One day, Walmart has a security breach and millions of user names and passwords are exposed.  Just to be safe, you go to your Walmart account and change your password.  Problem solved?  No.

Since your user name is also your email address, the hacker has access to your email account.  He can send and receive email pretending to be you.  What if every person in your contact list got an email from you saying, “Help!  I’m on vacation, lost my wallet, and need cash to check out of the hotel – can you wire me some money and I’ll repay you when I’m back home?”  If you have 100 people in your contact list, the scammer is happy if only a few of them fall for it – and that money is lost forever.  Your gullible friends might be a little upset about this.  At the very least, it would cause a lot of confusion that you would need to explain.  Imagine if your contact list has 500 or 1000 people.

And the hacker can then go to your Amazon account (since he already has your login information).  The first thing he does is change the password – so now YOU cannot even log in to your own account.  He orders a few items using the credit card you keep on file with Amazon.  And he can tell Amazon to ship the item to a different address.  It’s common now, with the thousands of foreclosed and empty houses, for scammers to have a package delivered to that kind of place, then just watch for when UPS leaves the package.  They just go pick it up later.  And you don’t know anything about it until you see your credit card statement next month (IF you bother to check it for unusual charges – many people don’t, which is another benefit for the bad guys).

And if you have an AOL email address like that, chances are good you probably have the same user name for Hotmail, Gmail, Yahoo, and others.

And all you had to do was create a good password and make it different for each website account.  Sometimes it pays to do the thing that’s inconvenient.

listen to my podcast in iTunes

Share this post

3 comments Add your comment »

Get updates when new comments are added. Subscribe to the comments RSS Feed

Marianne Boretz
April 14th, 2014

Hi Scott–

I’ve read that while one’s password at LastPass is protected, the passwords of sites stored at LastPass are not and one should change them all. What do you think?

Marianne

Scott Johnson
April 14th, 2014

I can see the logic behind that. I did change my LastPass password as well though, since the LastPass OpenSSL was updated 6 days ago and may or may not have been vulnerable prior to that.

Marianne Boretz
April 15th, 2014

Thanks. I’ll do it. Soon.