News sites are awash with news of a scary sounding exploit called Heartbleed this evening . Details abound but they’re all technical. What does it mean? Could it effect you? Are your online accounts (including banking and credit cards ) safe?. How can you protect yourself? We have an explanation for you of what it is and what the risks are and what you can do to protect yourself as much as possible. Check out the details below and please do share with friends if you find our post helpful.
What Heartbleed Is.
Heart bleed is a vulnerability that was just discovered in a certain type of secure server known as openssl. What that means is that on sites that use that type of encryption, the lock in the address bar that is meant to signify safety was actually a way for hackers to get information from those sites. Many sites have fixed the vulnerability already – it still exists in some.
Why it’s Dangerous
- The vulnerability was just discovered but has actually been open for up to two years.
- It was capable of gaining data including PASSWORDS, LOGINS, possibly CREDIT CARD DATA and showing unencrypted traffic and communication.
- It left no trace – so sites have no way to know if they’ve been exploited/data mined or not
- It effected major sites including Yahoo (including Tumblr and Flickr) some banks, Imgur, and even the TOR project which is a standard for secure anonymous browsing has been vulnerable in some areas. There are also ad servers and outbrain.com effected - which could be found on about ANY site either in the form of ads (pretty much any provided by anyone other than Google) or Outbrain directs traffic for many, many sites.
- Of concern to those of us who play Farmville , Adobe Flash the platform the game is coded and played on also issued a software update to close the gap.
- There was some information that even visiting an effected site WITHOUT logging in could have led to data being compromised.
What you can do
- CHANGE YOUR PASSWORDS - on any and all online accounts. Some major sites like FACEBOOK and GOOGLE were NOT AFFECTED, but if you’ve visited any affected sites, it’s safer to change passwords on all. Update the day after this was posted, Google announced that they WERE AFFECTED after all. The online tools showed them as not vulnerable - this is why it is important to change everything. FACEBOOK was not affected in the current round, but may have been in the past (remember this bug is up to 2 years old) Their announcement
""We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to ... set up a unique password."'
- Contact your BANK, CREDIT CARD CARRIERS and any MERCHANTS that you have recently shopped online with to determine whether or not they were effected and what protections are in place.
- UPDATE any software such as FLASH and any others that issue security updates.
- BE VIGILANT with banking/credit card statement activity for a few months.
- Be careful in general - even if you visit an effected site without logging in, there is a chance that you can be affected. Change passwords often - and if your email program that you use to log into other accounts is effected - change those too.
- Keep your eyes peeled for news and updates about the effects of this vulnerability.
- There are tools out there like this one to test if sites are Affected – but there is no outside documentation of their accuracy.
- Github offers a list of sites that are and are not vulnerable – but some may have already done repairs
Sources and further reading Cnet , TechCrunch and Zdnet are well known and respected tech sources. heartbleed.com is dedicated to keeping people apprised of what is going on with the Heartbleed bug. The Verge