Geek Girl Report Special Edition – What You Need To Know About The Heartbleed Security Breach
As my readers know, I don't do fear mongering. I'm not one for getting all bent out of shape and panicking over the latest new computer virus or online threat. I like to take things calmly, getting all the information I can first before rushing off to warn the masses about something that may or may not be an issue at all. However, this week something has come up that is a serious issue to online security, and if you use the Internet in any capacity, this will affect you, either directly or indirectly. It's called Heartbleed, and to put it bluntly, it's one of the biggest threats to online security that the Internet has seen in a long time.
What is Heartbleed?
Heartbleed is not so much a virus as it is a vulnerability. Specifically, it is a security vulnerability in OpenSSL, a very popular open-source protocol that is widely used for Web encryption. Roughly 65% of all websites use OpenSSL to protect usernames, passwords, and other very sensitive information, which is usually denoted by a little lock in the upper-left corner of the address bar. But this Heartbleed flaw, which allows hackers to pull information from a server's memory and basically eavesdrop and potentially decrypt on Internet traffic, has gone undetected for the past two years. and here's the really bad news: there's not a whole lot we can do about it. This is a flaw on the server side, and it is the site's responsibility to update their servers to prevent Heartbleed form doing anymore damage. But having gone undetected for so long, the damage may have already been done.
What can I do?
Your gut reaction may be to rush out and change all your passwords immediately. But if the site you're trying to access is still vulnerable, changing your password won't do any good, and could actually compound the problem. So, as nerve-wracking as it may be, the best thing to do is wait and try not to log in to any affected sites. If you ever wanted an excuse to take a hiatus from the Internet, now's the time to do it. That being said however, you may still want to keep an eye on those sites until you receive confirmation that the site has been fixed.
Once a site has been patched and you get the "all clear," you need to change your passwords on those sites immediately. Specifically, change your password on E-mail and banking services first, then on social media and so forth. Also, if you happened to share your info with a small business site, you may want to reach out to them and ask them if they are aware of Heartbleed and have updated their sites against it, as well as any company that has not been completely forthcoming about whether or not they were affected by Heartbleed.
What sites have been affected?
The bug only affects a certain variant on OpenSSL, specifically the SSL/TSL variant. Unfortunately, that also happens to be one of the most commonly used variants of SSL on the Web. GitHub has put out a massive list of all of these affected sites. But if you don't want to pour through that extensive list, the password security company LastPass has set up a Heartbleed checker that will tell you whether or not a site is affected by Heartbleed simply by entering in the website.
Here's the current status (as of April 10th, 2014) of some of the major websites that may, or may not, have been affected by Heartbleed:
E-mail: If you have an account with Google or Yahoo, you need to change your password on those sites now. This also extends to any Yahoo or Google-owned service, like YouTube and Tumblr.
Social Media: Facebook has been updated with the latest patch, so change your password on Facebook at once. At the moment, it appears that Twitter and LinkedIn were unaffected by Heartbleed, as they do not use the version of OpenSSL that was affected.
Banks and Brokerages: Thankfully, it seems that most of the major banks and firms like Chase, Wells Fargo, and Bank of America were not affected by Heartbleed. However, if you have an account with a smaller bank, you may want to check with them to see if they have updated their sites.
E-Commerce: Amazon.com was not affected by the Heartbleed bug, but anyone using the business-oriented Amazon Web Services such as Amazon EC2, Linux AMI, or CloudFront are advised to change their passwords. PayPal was also unaffected by the bug, but both eBay and Apple have not reported whether or not they have been affected.
Dating Sites: If you have an account on OKCupid, you'll need to change your password. eHarmony may also have been affected, but it's unclear whether or not they have issued a patch at this time. Match.com was not affected.
Gaming: Bad news for gamers. Both Steam and Origin are still vulnerable to the Heartbleed bug, as well as Nintendo and Sony services, so you will want to stay clear of those sites and online services until they have been patched. If you have a XBox however, you'll be relieved to know that Microsoft is unaffected by Heartbleed.
As more information about Heartbleed and the affected sites becomes available, we will let you know.