Hopefully by now you’ve heard about the Heartbleed bug that left a good chunk of the Internet—and possibly your personal data—vulnerable for nearly two years. The bug impacts OpenSSL, an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TSL) protocols used to secure the Internet. By some estimates, OpenSSL is used in roughly 500,000 servers and the bug allows hackers to “scrape” a server’s memory, where sensitive user data is stored, including private data such as usernames, passwords and credit card numbers. Some of the biggest online names were vulnerable, including multiple properties of Yahoo: Homepage Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr.
Just as the initial shock of Heartbleed was wearing off, Cisco Systems Inc. (CSCO) and Juniper Networks Inc., (JNPR), two of the largest manufacturers of network equipment, announced that some of their products also contain the Heartbleed bug. That means hackers might be able to capture sensitive information as they move across corporate networks, home networks and the Internet. Unlike changing a password at a vulnerable website, infected hardware is more difficult to fix. The bluntest statement I’ve read came from Bruce Schneier, a cybersecurity researcher and cryptographer, who said “The upgrade path is going to involve a trash can, a credit card, and a trip to Best Buy.” However, before you run out and buy a new wireless router, keep in mind that products available at retail stores now likely were shipped before the bug was revealed. If you own networking equipment from either of these companies, you may wish to refer to their respective websites for information on the impacted products and possible patches.
In the aftermath, there are several steps you can, and should, be taking to protect yourself online.
First, resist the temptation to automatically reset all your online passwords. Sadly, I am seeing advice to do this being given out throughout the Internet. However, identifying the Heartbleed bug was only the first step in rectifying the situation. The next step is for websites to implement patches to close the vulnerability. If you change your password on a site that hasn’t yet been patched, you are still vulnerable. Luckily, there are several sites out there that can identify whether a site was vulnerable in the first place and if it has been patched. One site that is being referenced by numerous outlets is LastPass and its Heartbleed checker. By entering in the address (URL) of a website, the Heartbleed checker will tell you whether or not the site was ever vulnerable and, if so, whether it has been patched and is therefore safe to use. If the site has been patched, change your password if you haven’t done so already. This is especially true of all online email and financial accounts you have. Luckily, none of the bank, credit card or brokerage accounts I personally have appear to have been exposed to the Heartbleed bug. But, again, it’s important to verify all the sites you use.
You may not find definitive information regarding smaller businesses; in these instances you shouldn’t hesitate to contact them to see if they have information regarding the security of your data with them. As a matter of full disclosure, the AAII websites do not use OpenSSL, so they were not vulnerable to the Heartbleed bug.
Over the coming days and weeks, be on the lookout for unfamiliar charges on your bank, credit card and retail charge accounts. It’s up to you to identify and report fraud to companies exposed to the Heartbleed bug.
In addition, be on the lookout for phishing schemes stemming from Heartbleed. Inevitably emails will start arriving in the coming days and weeks that appear to be from banks and other sites stating that the site was vulnerable and asking that you reset your password. It’s designed to have you reveal your log-in credentials to thieves. If you get such email, NEVER click on any links. Instead, first check to see if the site has been patched using a service such as LastPass and, if needed, manually type the site’s URL into your browser and go to its password reset page.
I also expect that scams will arise for services claiming to help you see if you are vulnerable to or promise to fix any problems tied to Heartbleed. Before giving any information out, or paying any money, do a little homework to see if they’re legitimate.
It’s difficult to quantify how secure or unsecure the Internet really is. Obviously, vulnerabilities such as Heartbleed show that the Internet isn’t 100% secure. However, patching the hundreds of thousands of servers impacted by Heartbleed definitely has made the Internet safer. Whenever something as widespread as Heartbleed comes about, there is inevitably a wave of people saying they are “unplugging” and will no longer use the Internet, thinking this will make them more secure. This is far from realistic. The World Wide Web turned 25 earlier this year, and it has become inextricably woven into the fabric of everyday life. It has changed the way we consume news, communicate, shop, bank and invest and its impact will only grow, not retreat. Instead of shunning the Internet in the face of these security breaches, we must become more vigilant to protect ourselves when the next vulnerability is, inevitably, exposed.