MEGATech Guide to Heartbleed – What It Is, What It Did, and Why Now Is the Time to Change Your Passwords Dylan Duarte April 21, 2014 Guides The recent past has seen a startling amount of sites fall victim to security vulnerabilities. Unless youíre the most casual of Internet users, youíve experienced some or many of your regularly-visited websites suffer a breach of some sort that has exposed personal data ranging from your password to your credit card information. A password is easy enough to change; leaked credit card information is much more difficult to deal with. Regardless, these incidents are inconvenient at best. Up until now, theyíve been site-specific problems. When your LinkedIn account gets hacked, you know what information has been exposed. Same with Facebook, Sony, and others. But then, thereís the Heartbleed bug. Now is the Time If youíre reading this, you might be one of the many who donít take these sorts of incidents seriously and have slacked off on changing your passwords and maybe made the conscious decision that youíre just not going to worry about it. If this is the case, youíre lucky, because now is the time to do so. The Heartbleed bug was discovered around the beginning of the month and people understandably scrambled to change all of their exposed passwords. Unfortunately, changing a password before the bug was patched was a futile effort, because it left your new password just as vulnerable as your old. As of the time of this writing, Heartbleed is mostly fixed. The top 100 sites Ė which include Google, Facebook, Twitter, and YouTube Ė are good to go. Out of the thousands affected, a handful (okay, a big handful) remain vulnerable, but those vulnerabilities seem limited to more obscure websites. Now is the time to begin reinforcing all of your logins by applying different passwords to different websites. If the site supports two-factor authentication, you should do that too. These would include Dropbox and Google, among others. Itís a tedious process, we know. However, if your password security isnít up to snuff, itís something that could come back to bite you in a major way, especially since the existence of the Heartbleed bug became widespread public knowledge. It was like Halloween for hackers. Early estimations put as many as 500,000 websites being affected, so donít assume youíve escaped unscathed. What is Heartbleed I could get really deep into the technical specifications of Heartbleed, but for the sake of brevity, I wonít. You donít need to know the bug inside and out to address it. In short: SSL is a security system of sorts that provides an easy way to encrypt information. OpenSSL is a piece of software that makes it easy to implement SSL on a website. Heartbleed is a bug that exists in OpenSSL that allows hackers to access your personal information on websites that use the software. That means your usernames, passwords, and credit card information could all be available for the taking from multiple websites. Thereís an extension of OpenSSL that allows connections to remain open even when information isnít being pumped through. This extension gained the nickname Heartbeat, so naturally when it started leaking information, the nickname Heartbleed was quickly coined. While 500,000 is a big, scary number, not all websites are affected, because not all websites use OpenSSL. And even out of those that do, not all of them use the Heartbeat extension. For example, Paypal has a disclaimer on their homepage informing users that their passwords are secure and they donít require changing. On the other hand, websites that were affected, like Reddit, have posted warning blurbs alongside the login boxes. What Passwords Do I Change? Thatís the million dollar question and, fortunately for all of us, the Internet is full of people who just want to help. There are many tools available for finding out just which websites were affected. The tool Iíve been using comes from LastPass, a developer whose password manager Iíve used for some years now. The tool is simple enough: you just type a URL in the box and click the button to see if the site is vulnerable. LastPass’s†tool will give you detailed results, telling you if the site was affected, when it was acknowledged, and whether or not the site is safe now. Keep in mind that, although weíre unsure where LastPass is getting their information, that last bit of info may not be up-to-the-minute accurate. You can also try the Chromebleed extension for the Chrome browser, which displays a warning if the site you are browsing is or was affected by Heartbleed. The folks at Mashable have put together a list as well. Important note! Itís commonly advised that you keep a different password for every website you use, but a lot of people donít do this. If youíre one of these people, consider this: if a website you use hasnít been affected by the Heartbleed bug, but your password for that website is one you use on a site that has been affected by Heartbleed, youíre just as vulnerable. The only passwords you donít have to change are on sites that havenít been affected and on which you use a separate, exclusive password. Heartbleed is No Joke The ramifications of someone malicious getting your credit card information or even just your password are scary to think about, so take this type of security risk seriously. If you have to, change all your passwords over the course of a few days so itís not as much of a lengthy task, but you should do it all the same. Share This With The World!