April 11, 2014
<b>What’s all this about Heartbleed?</b>
On April 7, researchers found a flaw in a popular tool used to secure Internet traffic. That tool, called OpenSSL, is responsible for providing security on the Internet. The bug, named Heartbleed, allows an attacker to capture usernames, passwords and other information. OpenSSL is not used by every website, so many are not affected by this vulnerability.
<b>Why does this matter?</b>
Some sites on the Internet rely on OpenSSL to protect secure traffic. At least 500,000 servers world-wide appear to be affected by the bug, and some personal computers and mobile devices are also affected. Until the bulk of affected computers are fixed, or “patched,” any secure site (e.g., https://) on the Internet is potentially dangerous to visit. Many companies are sending out communications to their customers giving them a status update “all clear” or “not vulnerable.” In fact, a tool has been produced to test websites to see if they are vulnerable (<a href="http://filippo.io/Heartbleed/"><b>http://filippo.io/Heartbleed/</b></a>).
<b>What should I do?</b>
Do not panic. While this is a serious vulnerability, server administrators around the world are working around the clock to reduce the risk. Nevertheless, there are some things you can do while the world catches up:
<ul><li>Be suspicious of any e-mails asking you for personal and/or sensitive information, as there may be an increase in phishing attempts.
<li>Remember that legitimate e-mails will never ask you to respond with sensitive information such as password, SSN, or bank account number.
<li>Apply the latest security updates to your home and work computers, as well as to your mobile devices.
<li>When in doubt, ask! Contact the Customer Service department at the company in question, they should be aware of the Heartbleed vulnerability & whether or not the correspondence you received is legitimate.
<li>Make sure you are not using the same passwords on multiple sites.
<li>Change your password on sites that have been affected by Heartbleed once the servers have been patched (if you change your password before the site fixes the Heartbleed vulnerability, you have potentially allowed the new password to be compromised as well).</ul>
<b>What about Google, Facebook & Other Social Media sites?</b>
Most of the big social media have issued statements regarding the status of their sites. See the Mashable Heartbleed Hit List article below for more information about many of the larger sites that have released information.
<li>Background Info: <a href="http://heartbleed.com/"><b>The Heartbleed Bug</b></a>
<li>NPR Marketplace story: <a href="http://www.marketplace.org/topics/tech/heartache-heartbleed"><b>The Heartache of Heartbleed</b></a>
<li>Brian Krebs: <a href="http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/"><b>What Can You Do?</b></a></ul>
Mashable Heartbleed Hit List: <a href="http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/"><b>The Passwords You Need to Change Right Now