Dan Catchpole

View Original

Heartbleed

Dan Catchpole

What is Heartbleed?

Heartbleed is a bug in a piece of software known as OpenSSL that many websites use to secure your login when you log in. It's the S in https:// when you visit a website. Many websites have already taken steps to fix the Heartbleed bug in OpenSSL by updating their version of the software to one where the bug has been patched. However it is very possible that people have been exploiting this bug for some time. Using this bug, hackers could observe the secure communications between your computer (when logging into a website) and the website's servers, allowing them to potentially view your password information.

Most financial websites and services do not use the OpenSSL software to secure their sites, so most banking websites are not effected by this bug. However, services like Gmail, Yahoo Mail, Facebook, etc were vulnerable.

More complete technical information about Heartbleed can be found at heartbleed.com

What Heartbleed isn't

Heartbleed is not a virus, it cannot infect a computer, nor would it be used to gain access to your Windows or Mac logins or passwords. Heartbleed primarily affects companies using OpenSSL to secure their websites.

Recommendations

Checking If You Are Vulnerable

Several tools are available to determine whether or not a website you use was vulnerable to the Heartbleed bug. One such tool is 1Password Watchtower. Enter in the URL of a website you would like to check, then click the Check Website button.

This tool will check to see whether a site was vulnerable, and what your next action should be.

Creating New Passwords

When creating new passwords, it has always been a good policy to create strong, unique passwords for each website or service you use. People have a bad habit of reusing passwords across many websites or services, which is why the Heartbleed bug is such a big deal; if a hacker obtains your password for one website and you reuse that password on other sites, they can easily gain access.

There are a number of programs and online services that can help to create and manage strong passwords. Here are links to some of them:

  • 1Password - runs on Windows and Mac, iOS and Android
  • Dashlane - web based
  • LastPass - web based
  • KeePass - open-source free software, runs on Windows, Mac, and Linux, with 3rd-party clients for mobile devices

Two-Factor Authentication

Many services like Google, Microsoft, and Facebook offer users something known as two-factor (or multi factor) authentication when logging into services.

Two-Factor Authentication works by taking something you know, like a password, and combining it with something you have (a physical token or smartphone app) or are (a fingerprint, iris scan). In this way, even if a hacker gained access to your password (One Factor) they would not have access to the 'something you have'

The video below helps to explain how this works:

Authy from Authy on Vimeo.

Google also has more information on using Two-Factor Authentication here: Google 2FA. Several staff use 2FA to protect their work and personal accounts. Several companies have create free apps for smartphones that can act as a token for two-factor authentication. Google Authenticator and Authy are two such products.

Next Steps...

You read the whole thing, congrats. Now what?

  • Use 1Password Watchtower to check if a site you have an account on is vulnerable
  • Go through the website's password reset process, which varies from one site to another, but often a 'Forgot my Password' or 'Reset my Password' link is available on the login page
  • Create a new, strong, and unique password for each website and service.