Computerized Investing > April 19, 2014

Protecting Yourself From Heartbleed

| | | COMMENTS (12) | A A   Reset

by Wayne A. Thorp

Hopefully by now you’ve heard about the Heartbleed bug that left a good chunk of the Internet—and possibly your personal data—vulnerable for nearly two years. The bug impacts OpenSSL, an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TSL) protocols used to secure the Internet. By some estimates, OpenSSL is used in roughly 500,000 servers and the bug allows hackers to “scrape” a server’s memory, where sensitive user data is stored, including private data such as usernames, passwords and credit card numbers. Some of the biggest online names were vulnerable, including multiple properties of Yahoo: Homepage Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr.

Just as the initial shock of Heartbleed was wearing off, Cisco Systems Inc. (CSCO) and Juniper Networks Inc., (JNPR), two of the largest manufacturers of network equipment, announced that some of their products also contain the Heartbleed bug. That means hackers might be able to capture sensitive information as they move across corporate networks, home networks and the Internet. Unlike changing a password at a vulnerable website, infected hardware is more difficult to fix. The bluntest statement I’ve read came from Bruce Schneier, a cybersecurity researcher and cryptographer, who said “The upgrade path is going to involve a trash can, a credit card, and a trip to Best Buy.” However, before you run out and buy a new wireless router, keep in mind that products available at retail stores now likely were shipped before the bug was revealed. If you own networking equipment from either of these companies, you may wish to refer to their respective websites for information on the impacted products and possible patches.

In the aftermath, there are several steps you can, and should, be taking to protect yourself online.

First, resist the temptation to automatically reset all your online passwords. Sadly, I am seeing advice to do this being given out throughout the Internet. However, identifying the Heartbleed bug was only the first step in rectifying the situation. The next step is for websites to implement patches to close the vulnerability. If you change your password on a site that hasn’t yet been patched, you are still vulnerable. Luckily, there are several sites out there that can identify whether a site was vulnerable in the first place and if it has been patched. One site that is being referenced by numerous outlets is LastPass and its Heartbleed checker. By entering in the address (URL) of a website, the Heartbleed checker will tell you whether or not the site was ever vulnerable and, if so, whether it has been patched and is therefore safe to use. If the site has been patched, change your password if you haven’t done so already. This is especially true of all online email and financial accounts you have. Luckily, none of the bank, credit card or brokerage accounts I personally have appear to have been exposed to the Heartbleed bug. But, again, it’s important to verify all the sites you use.

You may not find definitive information regarding smaller businesses; in these instances you shouldn’t hesitate to contact them to see if they have information regarding the security of your data with them. As a matter of full disclosure, the AAII websites do not use OpenSSL, so they were not vulnerable to the Heartbleed bug.

Over the coming days and weeks, be on the lookout for unfamiliar charges on your bank, credit card and retail charge accounts. It’s up to you to identify and report fraud to companies exposed to the Heartbleed bug.

In addition, be on the lookout for phishing schemes stemming from Heartbleed. Inevitably emails will start arriving in the coming days and weeks that appear to be from banks and other sites stating that the site was vulnerable and asking that you reset your password. It’s designed to have you reveal your log-in credentials to thieves. If you get such email, NEVER click on any links. Instead, first check to see if the site has been patched using a service such as LastPass and, if needed, manually type the site’s URL into your browser and go to its password reset page.

I also expect that scams will arise for services claiming to help you see if you are vulnerable to or promise to fix any problems tied to Heartbleed. Before giving any information out, or paying any money, do a little homework to see if they’re legitimate.

It’s difficult to quantify how secure or unsecure the Internet really is. Obviously, vulnerabilities such as Heartbleed show that the Internet isn’t 100% secure. However, patching the hundreds of thousands of servers impacted by Heartbleed definitely has made the Internet safer. Whenever something as widespread as Heartbleed comes about, there is inevitably a wave of people saying they are “unplugging” and will no longer use the Internet, thinking this will make them more secure. This is far from realistic. The World Wide Web turned 25 earlier this year, and it has become inextricably woven into the fabric of everyday life. It has changed the way we consume news, communicate, shop, bank and invest and its impact will only grow, not retreat. Instead of shunning the Internet in the face of these security breaches, we must become more vigilant to protect ourselves when the next vulnerability is, inevitably, exposed.


James Dolan from MA posted over 4 years ago:

Thank you, I agree.

Eric Bressler from MN posted over 4 years ago:

One would think that financial institutions wouldn't use Open SSL, but one of mine, USAA, did. It was a time-cosuming task to check on the web sites and change passwords on the ones that had already been patched, requiring several hours. But it was an important part of my financial security.

B Mc Calister from GA posted over 4 years ago:

This is the best explanation of, and suggested remedy to the "Heartbleed" situation, I have seen. Thank you

Terry Allaway from CA posted over 4 years ago:

Thanks for the link to Last Pass and it's Heartbleed Checker, I found some sites vulnerable that I hadn't already caught. Much better than all the wild-eyed hysteria out there!

Marvin Smith from IL posted over 4 years ago:

Thanks for the info. I'll have to visit Last Pass soon.

William Crutcher from TX posted over 4 years ago:

This is the most reasonable advice I have seen so far! Thanks.

Jatinder Mehta from PA posted over 4 years ago:

Thanks a bundle.

Scott from MI posted over 4 years ago:

I am not sure replacing home routers is going to be necessary. Most of these devices are able to upgrade the firmware that runs in them. Most are addressed by a IP address from within the user's network. From there a control menu may allow the firmware to be upgraded. I have never seen a manufacture charge for this type of upgrade.

Wayne Thorp from IL posted over 4 years ago:


Yes, users can certainly update their firmware, but the typical computer user I know would have a hard time doing it themselves. If they can, then definitely do it. Otherwise, a new router for less than $100 is a worthwhile investment. But, again, check to see if the new router is free of the Heartbleed vulnerability. A small price to pay to ensure you are protected.

James Hansen from CA posted over 4 years ago:

Thank you for the article!

J Jones from OH posted over 4 years ago:

Unfortunately, I cannot print this article so I cannot save it for future reference.

Wayne Thorp from IL posted over 4 years ago:

@J Jones, click the Print button at the top of the article. From there you have multiple options, including printing to PDF.

You need to log in as a registered AAII user before commenting.
Create an account

Log In