A recently discovered Internet security flaw has serious implications for businesses and consumers. Known as Heartbleed, it’s a bug in OpenSSL, which is software that creates an encrypted channel between a web browser and web server. For those who are not tech savvy, OpenSSL keeps transmitted data secure so information like credit card numbers, usernames, passwords and the like protected when sent over the Web. When compromised, sensitive data may be exposed by websites that use it. Unfortunately, the flaw has been out there for nearly two years but was only recently discovered.
Approximately two-thirds of the world’s websites use OpenSSL for Secure Sockets Layer (SSL), and a URL that starts with “https” rather than “http” indicates that SSL is in force and your session is secure – or at least that was the theory before Heartbleed
This flaw makes it possible for hackers to capture up to 64K of unencrypted data including sensitive data such as usernames, passwords or credit card numbers. Even worse, this technique could also allow hackers to access the encryption keys used to encode and decode data, meaning they could potentially access any data transmitted. As a kicker, exploiting the Heartbleed bug leaves no trace on sites that have been breached, making it nearly impossible to know if data or keys have been compromised.
Businesses, what you can do: Here is where it really gets technical so bear with us. If your organization has an e-commerce site or a site requiring a login, check to see if it is using OpenSSL. The Heartbleed bug is present in versions 1.0.1 through 1.01f. Upgrading to OpenSSL 1.0.1g will plug the hole; however, check if your digital certificates need to be revoked and reissued. Digital certificates are a key component of the encryption process and are used to verify a web server’s identity. Because of the highly technical and multi-faceted nature of the fix, it’s best to consult with trusted IT resources.
Consumers, what you can do: If you’ve used a site that has the Heartbleed bug, it’s possible your password or other sensitive data may have been compromised. So what should you do?
Stop using any sites that have announced that they are subject to the flaw (Google “Heartbleed sites” to get a list). Not sure? Look for an announcement on the site, contact the site operators, or use the Qualsys SSL site to check the status (https://www.ssllabs.com/ssltest/).
Painful as it might be, change your passwords. All of them! But don’t change the password for a given site until you are certain the site is Heartbleed free. Otherwise, you might be giving hackers your new password! Change the passwords for the most sensitive sites such as online banking, brokerage or e-commerce sites first.
Get in the habit of changing your passwords regularly. When you create a password, keep these best practices in mind: Use a strong password, one that is at least 8 characters long and is a combination of upper and lower case letters, numbers and symbols, for example: MyP@$$w0rd!. A longer more complex password is better, and using a phase is better than a single word. For example, G0lf1sMyF@v0r1t3! (GolfIsMyFavorite) is a very strong password. 123456 is a terrible password and so is your dog’s name no matter how cute he/she is.
Choose a unique password for each site. If you share passwords across sites, a compromised password means that a hacker can potentially access all your sites!
Some sites support two-factor authentication, which makes your account harder to hack. With two-factor authentication enabled, you will be required to enter your username and password as well as an additional piece of information such as a code sent to you by text when you login. It’s a good practice to enable two-factor authentication for any site that supports it.
Finally, watch your bank statements and other accounts to spot any unusual activity that might result from compromised data.
Stay up to date on the latest Internet threats from sites such as The Microsoft Safety & Security Center (http://www.microsoft.com/security/default.aspx), United Stated Computer Emergency Readiness Team (http://www.us-cert.gov/) and the Better Business Bureau (www.bbb.org).