Roughly two-thirds of the Web is encrypted by OpenSSL a technology that the world learned this month suffers from a major flaw nicknamed the Heartbleed bug.
When exploited, the Heartbleed bug enables a hacker to see sensitive data, like passwords and personal information, on the affected server. While many previously vulnerable websites such as Gmail, Dropbox and Facebook have since updated their services to protect from the Heartbleed bug, there is still a need for Internet users to protect themselves.
Whenever a major security news story breaks it’s important, of course, to separate the hype from the threat. At this point it’s near impossible for the Heartbleed bug to live up to the level of hype, but that doesn’t diminish the threat.
Now that system administrators have patched their servers, there are a few ways you can improve your security.
Resetting Passwords
I’m sure you’ve received dozens of emails saying it’s a good idea to change your password, and it’s hard to say if changing all your passwords is overkill. With that said, no security professional would recommend against updating your passwords.
- Immediately change the password on any site that sends you an e-mail. Then as you log into other services, make a habit of changing your passwords there too.
- If you reuse the same password on many sites, stop. Update your password on every site you use that password on with a new, different password.
- It helps a lot to have a password manager to keep track of your passwords in this process. If you’re managing your personal passwords, I’d recommend using the excellent 1Password. If you’re updating shared or business passwords, I’d recommend TeamPassword, a startup I cofounded.
Both solutions have random password generators. There’s no reason not to use a unique, complex password when you let your computer remember it for you.
Time-Based / Multi-Factor Authentication
Where possible, opt in to using two-factor authentication.
The Heartbleed bug made it possible to see a user’s username and password. Two-factor authentication (TFA) requires the attacker to also have access to your phone to log into your account.
- TFA is a great idea on any service that has your payment information. If you remember the story of how Twitter handle @mat got hacked, or how Twitter handle @n was stolen, both could of been prevented with TFA enabled on seemingly harmless websites.
- The same applies here. TFA throws in an extra piece of information. Even if a server leaks your six-digit code, it expires in 60 seconds and is useless.
Data Compromised?
In the follow-up e-mails you’ve seen since Heartbleed, it’s likely that they’ve said that there is no sign data has been grabbed by hackers. While this is true, it’s possible to exploit this bug to collect people’s personal information without leaving a trace. As such, it’s difficult for researchers to quantify how big of a problem Heartbleed has been.
- On one hand, the attackers need a bit of luck — they’re taking a random segment of data out of the memory of an affected server. If that happened to contain your username and password, you were very unlucky.
- The problem is that this bug has existed for several years, so a hacker who knew how to exploit Heartbleed to steal information could have done so many times. Each phishing trip they’ve taken into server data increases the odds that they get something useful.
- The best course moving forward is constant vigilance. I would not recommend taking any service at their word that they were not compromised. I also wouldn’t jump to changing your bank account. This is where having a good understanding of what type of data you’re sending over Secure Sockets Layer (SSL) matters.
It can be hard to say what the best course of action is for you, so I’d like to offer to help. If you have any concerns or fears related to this security issue or others, please send me an e-mail and I’ll do everything I can to help get you back on track.
Before you go...
Please consider supporting Technical.ly to keep our independent journalism strong. Unlike most business-focused media outlets, we don’t have a paywall. Instead, we count on your personal and organizational support.
3 ways to support our work:- Contribute to the Journalism Fund. Charitable giving ensures our information remains free and accessible for residents to discover workforce programs and entrepreneurship pathways. This includes philanthropic grants and individual tax-deductible donations from readers like you.
- Use our Preferred Partners. Our directory of vetted providers offers high-quality recommendations for services our readers need, and each referral supports our journalism.
- Use our services. If you need entrepreneurs and tech leaders to buy your services, are seeking technologists to hire or want more professionals to know about your ecosystem, Technical.ly has the biggest and most engaged audience in the mid-Atlantic. We help companies tell their stories and answer big questions to meet and serve our community.
Join our growing Slack community
Join 5,000 tech professionals and entrepreneurs in our community Slack today!