Heartbleed Leaving You Heartbroken? - What To Know and What To Do
One of the web’s most popular security protocols has a major flaw. Nicknamed Heartbleed, it could be one of the worst flaws discovered in recent times. What exactly is Heartbleed and what should you do to protect yourself?
Over the past week, information has been published by Open SSL Advisory about a major internet security bug, Heartbleed, in Open SSL, the encryption method that most sites on the internet use.
You're probably wondering why you need to worry about this - after all - security issues on the internet seem to be talked about all the time, with something new to potentially worry about seeming to appear most weeks. This time though, the problem is very serious, with Security expert Brue Schneier describing it as "catastrophic".
The reason you need to worry is that this bug in OpenSSL, used in some of your most popular sites like Google, Yahoo and Facebook, may have been exposing all your password, personal and chat information - basically anything that may have been encrypted (scrambling the data so no one unauthorised can view the information).
In a seemingly confusing message users are being told not to change their passwords yet - the reason for this is that if you change your password before the site has corrected the problem then your new password is exposed too.
So what do you do now that you know your passwords are being exposed, but you can't change them? You protect yourself the best you can and there are a couple of ways you can do this;
Two Factor Authentication (2FA)
Most sites that store important information use Two Factor Verification - a way of verifying your identity though more than one method. Usually this means through the usual username and password login, followed by a verification method that it is you requesting the login, like an authenticator code or a text to your phone with a code to verify your identity.
For a list of sites that currently support two factor authentication visit here.
A good example of why this is necessary;
In October, Adobe was hacked, and I had an account on there with my Microsoft email and, foolishly, had used the same password for both Adobe and Hotmail. I rushed to change the Microsoft password and deleted my Adobe account as I rarely used it. I enabled 2 factor on my Hotmail a few weeks later and found that there had been over 150 unauthorised attempts to access my account with my old password from all over the world, including Vietnam, China, Australia, Russia and the US.
If I hadn't been able to react immediately to the Adobe hack, 2 Factor would have protected my account, as even with the password the people trying to access my account would never have got in.
2FA is a great way to protect yourself, and will come in very useful if any of your passwords have been exposed due to Heartbleed.
When you log into a website, most browsers prompt you if you want to save the password.
Most of us choose to have the browser save the password for us. With so many sites and so many different passwords we need some way to remember them all. However, as soon as that password is saved - written somewhere - it is less secure. So the problem is how do you write them all down but keep them secure?
That's where Password managers like LastPass or Dashlane come in useful. If you want to learn exactly why these services are more secure than your browser take a look here and here.
Effectively what happens is that all your passwords are encrypted by the service. Then a key is given to these in the form of a master password you create. The information stays encrypted until you enter the password locally on your PC. This means that the key is never given out over the internet - so no one can snoop on it.
These services have come a long way over the past year. Since we all use many devices to browse the internet - laptop, tablet, phone etc. - the service is only helpful if you can access your passwords across all devices.
I personally use LastPass and really like and trust it. Just in the past few weeks they have been great - they have added an app login for Android so you can use LastPass to enter passwords into your apps, saving you need to look them up.
One of the most impressive things they've done is in response to Heartbleed - they check your stored sites and advise you if you should change your password to affected sites yet - based on if the site has corrected the issue. This is a great and really powerful tool.
One of the other features I particularly like is the security check feature. They (locally on your device) analyse the passwords you have for strength and repetition across sites and give you a security rating. When I first ran this test I only got 28% and I didn't even really think I had much of a problem!
With so much of our lives stored and managed online, securing your data is so important. Although Heartbleed is one of the worst cases of faulty internet security we've seen in quite some time, instances like these are quite common. If there was a positive to Heartbleed it is bringing this conversation into the mainstream - something that hasn't properly happened since the mobile computing boom.
Of course, the other issue is that 'Heartbleed' doesn't sound all that scary - although its not a nice word, it does weirdly sound almost pleasant, which can unfortunately trivialise the issue.
[In case you were wondering where the name came from - the vulnerability affects an extension called Heartbeat]
I have taken the journey to protect myself too, through 2FA and LastPass so if you have any questions - give me a shout either in the comments below on on Twitter at @jimjamfroo.
Other great information:
- Lifehacker - Is LastPass Secure?
- Lifehacker - Everywhere you should enable two factor authentication
Currently Listening: Ginger - Body Parts
Currently Reading: Miracles Now - Gabrielle Bernstein