[ALERT] Heartbleed – What to do and what NOT to do

 

Late on April 7 news came out that a key piece of software used by a majority of websites for secure transmission of information including logon passwords was broken.  Since that time websites and organizations have been scrambling to put in place a fix.  For the majority of major websites that work has been done, now it is time for you to do your part.

WARNING – Watch for Malicious Phishing and Spam
Be very wary of any emails requesting that you change your password for a particular web site.  Cyber criminals are taking advantage of the publicity around Heartbleed to send “phishing” messages in order to lure people into divulging their logon credentials for financial institutions, email services and other important Internet sites.

Do NOT click on any links in emails requesting you to change your password. Instead, use your web browser and either type in the address of the site or use a bookmark for the site to get to the login page.  Remember, malicious emails can be crafted to look identical to an authentic email – it can be very difficult to distinguish between the two types.

What are the risks?
The software bug responsible for Heartbleed has been in use since March of 2012 yet the bug was publicly disclosed only this week (April 7, 2014).  It is therefore quite possible that prior to the public disclosure “blackhat” hackers have also discovered this vulnerability and have exploited it to obtain login information (usernames and passwords) from susceptible websites.

How many websites and which ones are or were vulnerable?  A lot!  Review the lists and links below for details.  In short approximately 13% of the top 1 million websites were probably vulnerable originally.  The list includes a great many of the most important web sites including all Google sites (Gmail, YouTube etc.), Dropbox Facebook, Yahoo!, Netflix and many others.

It is therefore strongly advisable that passwords be changed for websites and services that hold important information or for which hijacking could pose major problems (e.g. email, commerce, financial, social media).

For more information on the Heartbleed bug look here:
http://heartbleed.com/

Recommended Action
Unless a website is specifically called out in the Good News section below or in the Mashable list you should plan on changing the password.  The following are the sites/services you should change first:

  • Email – e.g. Yahoo & Gmail, (the exceptions being Microsoft, Apple and AOL services which were never vulnerable)
  • Financial – banks & brokerages (with the exception of those listed as OK)
  • Social networking – Facebook, Instagram, Pintrest, Tumblr.  (LinkedIn is listed as OK)
  • Entertainment – Netflix, Flickr, YouTube (a Gmail change will also do YouTube)

The Good News – websites and services that were unaffected
The following is a short list of websites that are documented as being unaffected by Heartbleed.

Note: if you use the same password on one of these sites and on an affected site you still NEED to change the password on the unaffected site as it may have been leaked from the vulnerable site. This is one of the downsides of using one password for multiple sites.

  • Most US and Canadian financial institutions (see the Mashable link below and scroll down to Banks and Brokerages)
  • Office 365, Hotmail, Outlook.com, Skype and other Microsoft websites
  • Apple & iCloud
  • Amazon.com, EBay, Groupon, Nordstrom, PayPal, Target, Walmart
  • IRS
  • Evernote
  • These password managers: LastPass, 1Password & Dashlane

Final Note
Take this as an opportunity to put your password house in order.  Make sure that email, financial and other critical websites do not share passwords with other sites.  Email should always have a unique password.

Passwords should never be either a dictionary word or a dictionary word surrounded by some numbers or symbols (e.g. !Francisco67) – password cracking tools used by hackers can break these passwords easily.

The best approach to using secure and unique passwords is to use a password manager such as LastPass or 1Password.  They can also make your life easier by automatically filling in username and password fields in web browsers.
https://lastpass.com
https://agilebits.com/onepassword

 

References and resources
Mashable Heartbleed Hit List: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Test a site with LastPass: https://lastpass.com/heartbleed/
Heartbleed bug unformation: http://heartbleed.com/

Speak Your Mind

*