April 11th, 2014 by admin
We don't want to inundate you with more background information about the Heartbleed bug (you've been bombarded with it across the internet and daily news since it was announced Tuesday!), but rather outline the critical takeaways and action points you should take right now to protect yourself from possible future harm.
New information is released about Heartbleed every hour, and frankly, it's downright difficult to stay on top of the most critical news. Who exactly is at risk? Was my information compromised? Should I be concerned?
Though it is not yet known for certain if criminals have accessed private keys by taking advantage of the Heartbleed security flaw, The New York Times wrote on Wednesday, April 9th:
"In the worst-case scenario, criminal enterprises, intelligence agencies, and state-sponsored hackers have known about Heartbleed for more than two years, and have used it to systematically access almost everyone’s encrypted data. If this is true, then anyone who does anything on the Internet has likely been affected by the bug."
This article goes on to say that "before you panic, it is worth remembering that, at this point, we don’t know how close we are to the worst-case scenario. It is possible, though improbable, that the security researchers who exposed this flaw were, in fact, the first people to find it, which would mean that it has only been known about, and exploited, for a few days."
In other words, we really don't know the exact extent of the damage done.
Though companies like CloudFlare have set up the Heartbleed Challenge, asking hackers around the world to try their skills at accessing the secret keys from a vulnerable site to determine if it really is possible, no one has successfully done it...yet.
We're certain a great deal more information will be unearthed in the hours, days, and weeks that follow this article, but for now, we will outline the most important action points you should be taking now.
Critical Action Points
- Even if you haven't used Yahoo mail in years, it is quite possible you opened a Yahoo account at some point in the past (perhaps even forgot you had one) and that your login information may be the same or similar to your login information on other websites. It is imperative you change your Yahoo password and then change any passwords on other sites that are the same or similar to your Yahoo password! This is especially important if a site might use your Yahoo mail address for your account's login name or password recovery. Hackers frequently try known passwords for email addresses at a bunch of sites to try to penetrate even just one of them, which is why changing your login credentials is absolutely critical.
- We advise changing passwords of ANY site having your personal or financial information, and due to the practice mentioned above, it’s necessary to have them all be different from each other. Yes, this is a massive pain in the you know what, but it's best to take these precautions just in case.
- Half a million widely trusted sites were vulnerable to the Heartbleed bug.Test if a site you are using is vulnerable here: Heartbleed Site CheckerIf you use the Chrome browser, there is a plugin that will alert the user if a site they are visiting is vulnerable to the bug.Follow this link to install the Chromebleed checker. If the plugin alerts you to a site that is still vulnerable, we recommend not logging in to that site until they have patched their servers.
However, just because a site is not vulnerable NOW, doesn’t mean it wasn’t vulnerable at some time in the past 2 years!
This is why we recommend changing your passwords everywhere - you can never be too careful!
Most large online websites have already taken the relevant steps to protect their users, but smaller sites will take a bit longer to get this going.
Nine hours into the CloudFlare Heartbleed challenge, the first secret key was brought forward. Several other challengers were able to access the key soon after, proving an attacker can in fact access a key from a vulnerable server.
The Heartbleed vulnerability is a very real threat to our identities and private information - this is even more reason to follow our Critical Action Points above.
Posted in: Cyber and Data Security