The critical, widespread Heartbleed bug and you: How to keep your private info safe

Heartbleed is a devastating bug that shatters online encryption efforts

No matter how hard you try to stay safe, some aspects of securing your online data are completely out of your hands. That fact was made painfully obvious on Monday, when the Internet got caught with its collective pants down thanks to a critical vulnerability affecting a fundamental tool for secure online communications.

Called Heartbleed, the bug has been in the wild for more than two years now. It allows attackers to exploit a critical programming flaw in OpenSSL--an open source implementation of the SSL/TLS encryption protocol.

When exploited, the flaw leaks data from a server's memory, which could include SSL site keys, usernames and passwords, and even personal user data such as email, instant messages, and files, according to Finland-based Codenomicon, the security firm that first uncovered Heartbleed in concert with a Google researcher.

That's bad. Real bad, though it's important to note that Heartbleed only affects OpenSSL and not the security protocol itself.

But due to OpenSSL's popularity with website administrators, the potential number of affected websites is huge. Security and Internet research firm Netcraft estimates that Heartbleed affects around half a million "widely trusted websites."

Yahoo has already said it was hit by the Heartbleed bug and Yahoo-owned Tumblr is advising users to update their passwords ASAP.

"On the scale of 1 to 10, this [Heartbleed] is an 11," respected security expert Bruce Schneier said on his blog.

Yes, this bug is pretty serious and almost certainly affects at least one of your online accounts. But now that we've got the scary stuff out of the way, let's talk about some of the practical measures you need to know about.

Keep calm and...

Thanks to Hearbleed it's possible that some unscrupulous actors online could have your username and password. And you should definitely change your password on any site that says it was affected.

But here's the thing: While OpenSSL already has a fix available, changing your username and password before a site patches its servers achieves nothing. In fact, it could make things worse.

"You should change password after the service provider has patched their site. Otherwise you just contribute to the data that can be stolen," Codenomicon spokesperson Ari Takanen told us via email.

...don't carry on

Heartbleed was publicized on Monday. So by now, many sites should have scrambled (or are scrambling) to patch their servers. You can find out if a site is still affected by Heartbleed using online checkers provided by LastPass, Qualsys, or Filippo Valsorda.

If you find that a site you use often is still affected by the vulnerability, Codenomicon advises to take a "day off" from that site. Heartbleed only exposes data that's held in a server's memory (RAM). This isn't a break-in and read the database type flaw. Your data needs to be in a server's memory when it's attacked to be exposed.

That's one reason why changing your password before a site is patched could actually be worse than doing nothing, especially now that Heartbleed is public knowledge.

Other considerations

Security flaws like this are also a good time for some reminders about how best to secure your online accounts.

You should really be using two-factor authentication for all your accounts that offer it. Two-factor authentication requires you to enter an extra code before accessing your online accounts. The code is typically generated by a smartphone app or keychain dongle, but you can also receive codes to your phone via SMS.

This extra step requires attackers to know how to generate your two-factor authentication code before they can login to your account. In the case of Heartbleed, two-factor authentication may not have been as useful a defense, but in general this extra step helps keep your account safer than it was.

Use a password manager

Now's a good time to start using a password manager especially if you're going to be changing some user logins over the next few days. A password manager makes it easy to generate randomized passwords using a combination of letters, numbers, and special characters. It also relieves you of having to memorize every one of those overly complex codes.

Password managers often come with other features as well such as secure notes, and autofill for online forms.

There are many options out there for password managers, but some of our favorites include LastPass, Dashlane, and KeePass. LastPass recently said in a blog post that it was using the version of OpenSSL affected by Heartbleed; however, because the service encrypts your data before transmitting it online, the company says its users were not at risk of having their data exposed to the bad guys.

Heartbleed is certainly a nasty little bug that needs to be taken seriously. But considering it's been in the wild for more than two years, there's not much a user can do now except wait patiently for affected sites to patch their servers before changing any passwords.

Once those sites are patched, however, you'll want to change your password as soon as possible.

Join the CSO newsletter!

Error: Please check your email address.

Tags CodenomiconGooglesecuritypasswordsNetcraft

More about GoogleNetcraftYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place