The Heartbleed bug is a defect in a Web infrastructure program that can make it easier for bad guys to steal your logins and passwords - and perhaps even your credit card or banking account information - at many websites. Fortunately, at this time, it appears not many people have gotten fleeced.
The bug actually has been around for more than two years, but it was only just discovered, independently, by security firm Codenomicon and Google researcher Neel Mehta. It was caused by a programmer who appears to have simply goofed. Since the bug was discovered, websites feverishly have been implementing fixes, trying to beat the crooks who might take advantage of it.
As always, when a major Internet vulnerability surfaces, some Internet security companies and journalists paint a scary picture. Such fear can be as bad or worse than the actual problem. There's no need to stop doing online shopping or banking, just as there's no need to stop driving if you hear about a major car recall.
What's affected?
The software in question is called OpenSSL. It's a free and widely used method of encrypting data, including passwords, typed into websites. “SSL” stands for Secure Sockets Layer. All websites that display addresses beginning with “https” use SSL, but only those that use certain versions of OpenSSL are affected by this bug.
Most banks and other financial institutions don't use OpenSSL, instead using proprietary encryption software. But some popular sites, such as Yahoo, were affected. Yahoo has announced it is making appropriate corrections.
What can you do?
First, here's what you shouldn't do. Don't rush off and change all of your passwords. If a particular website using an affected version of OpenSSL hasn't implemented a fix, this could make it even easier for a hacker to nab you.
Check with the websites you use to confirm they're secure, or use tests at sites such as Lastpass and Qualys to check whether specific sites are vulnerable.
In dealing with the Heartbleed bug - and for reducing your exposure to future vulnerabilities - take the following security safeguards:
- Use dual-factor authentication, sometimes called two-step verification, whenever possible. Dual-factor authentication requires you, when gaining access, to provide a password and a second piece of information, such as answering a security question or returning a code that has been texted to you. Using dual-factor authentication is particularly important with sensitive sites such as banks, credit card companies, and investment companies. If you're already using it, you already have less exposure.
- Keep a close eye on credit card, bank account, and other financial statements. If you spot unfamiliar charges, investigate them.
- Change your passwords on a regular basis, and avoid using the same password at multiple sites. If you have trouble remembering your passwords, use a password management program such as Lastpass or KeePass.
- Use a strong password. Many websites require you to use a password that consists of at least eight characters made up of both letters and numbers, which make it more difficult to crack. But many security experts recommend passwords include at least 12 characters and uppercase and lowercase letters as well as symbols. Avoid passwords that are grade-school simple to crack, such as "password," "12345678," or "abcd1234."
- Better yet, use a "passphrase." This is a short sentence that's easy to remember, not too difficult to type, and very difficult to crack, such as "Go forth 4 ever&more."