Last night we, like just about every other site on the Internet, published a story about the very large and dangerous OpenSSL security bug called Heartbleed. The bug leaves large portions of the Internet open for malicious hackers to steal log in, credit card, and encryption keys. Essentially sites that thought they were protecting user data by encrypting it were not doing so, by no fault of their own, for over two years.
The potential for harm is that encrypted data and the crypto keys to unlock that data could have been stolen from servers. Your devices are unaffected directly. Software and services you use may connect with servers that could have been affected exposing your data. The Heartbleed bug leaves no trace in logs so there is no way to backtrack and tell whether a website was affected or not. New information today says that over 500,000 servers were affected.
A patch has been issued, but Internet users are being told to take precautions and change passwords or be prepared to. There is an unofficial list of sites affected and sites unaffected posted on GitHub. There is also a site checker where you can enter a site’s info to test if it is affected or not.
Yahoo, OKCupid, Ars Technica, and Tumblr have notified users to take precautions and change passwords after patching their sites. Although I have received no email personally from Yahoo.
What can you do to avoid Heartbleed?
- Scan the unofficial list for sites you may visit. It certainly isn’t an exhaustive list.
- Avoid logging onto affected sites until an all clear has been posted.
- Contact businesses (such as banks) that you use and ask if they are affected and to be notified when things are clear again.
- Prepare to change your log in credentials. But don’t make changes until a site has been patched. You should give priority to email accounts and bank and financial accounts.
- If you’re running the Chrome browser install the Chromebleed Checker. The extension runs in the background and will pop up an alert if a site is affected. GottaBeMobile.com is not affected.
- Pay attention to financial accounts over the next few weeks or so to watch for any unusual activity.
As always take whatever precautions you feel necessary. These types of stories typically unfold over a period of time and we’ll post updates as we have them. There is good reading on the Heartbleed Bug, OpenSSL and more here and here.