Some of you know me personally, and can attest that I’m not prone to exaggeration or marketing hype. This is a major, immediate risk to almost all businesses and you need to do something about it ASAP.
Let’s start with a plain English explanation of the Heartbleed Bug. Your bank usually tells you to look out for the green padlock on their website and the “S” in https:// in the URL address at the top of your browser. Those signify that your browser is exchanging sensitive information in a secure, encrypted manner known as SSL.
On April 7, 2014 a severe security issue was identified with SSL, one of the most fundamental systems of the Internet. The security of those https:// sites you visit has been a false guarantee since 2012! It actually exposed your information more than websites without it.
The good news (and there isn’t much of that) is that the software with this bug has been fixed. The bad news is that you continue to be at risk until every site you access can implement that fix.
Still don’t think this is a danger to you? As of April 8, 2014 here is a small, partial list of popular sites that were compromised: Amazon Web Services (not Amazon.com store), Apple, Box, Deutsche Bank, Dropbox, eBay, Etsy, Evernote, Facebook, FBI (!), Flickr, GitHub, GoDaddy, Google (including Gmail), H&R Block, Healthcare.gov, IFTTT, Instagram, Intuit, IRS, Minecraft, Netflix, OKCupid, Pinterest, SoundCloud, Tumblr, Twitter, Wunderlist, Yahoo (incl. Yahoo Mail).
At this point it is a reasonable assumption that a hacker somewhere has your passwords. This problem may include internet services other than websites, such as the email account your ISP may provide for you or even Skype. Here’s the scariest part of all — most of us (myself included) use a few passwords for everything. I have 10-15 online services that I access, and I use the same password to get into all of them. So if hackers get your password from one compromised site, they could get into many, many other sites that you use.
OK – let’s cut to the part about protecting your information and taking action.
- Change all of your passwords ASAP. Yes *ALL* of them. You bet it’s a pain and time consuming, but it’s essential. Tip – find and start using a good password manager. See below for recommendation.
- Keep an eye on your account activity for banks and credit cards.
- Find out which of your banks, credit card companies and other online services still have not implemented the Heartbleed fix, and encourage them to do so or find another service. See Heartbleed help page for how to do this.
- You’re really not going to like this. In a few weeks or months, change ALL of your passwords again. That’s because Heartbleed still exists and is compromising us right now. That will continue until every site you use (that has https pages) has been patched. Tip – use a password manager to save time and your sanity.
Valuable Heartbleed Tips, Tools and Recommendations!
My staff and I have been going nuts helping our clients with this. It’s been overwhelming, but absolutely necessary. During that chaos, we’ve assembled several tips, tools and recommendations such as:
- How to look up specific sites that you use and see if Heartbleed is still an issue
- Password manager recommendations
- List of hundreds of sites that were still compromised as of April 8, 2014.
All of that is available now – go to the Heartbleed Page on the Root-InfoTech website, all free for clients and Right Clique Weekly readers.