Thursday, 1 May 2014

Internet Safety and The Heartbleed Bug

Heartbleed Logo There’s been a huge amount of information recently about the Heartbleed Bug, what it is, what it means to you and how to stay safe online.  However personally I have found much of it to be quite confusing. 

It would appear that I’m not alone in that, as although 64% of internet users have heard of the problem, only 61% of those have taken any action (The Wire, April 30 2014). 

Having been informed by reputable sources that Heartbleed is a virus (which it isn’t), or that you should IMMEDIATELY change all of your passwords, which in some cases could make matters worse for you, and conflicting versions of each, let alone that this is the end of the internet as we know it, I decided to try and simplify the important facts.  So read on.

In essence Heartbleed is a recently discovered two year old fault in the functionality of widely used OpenSSL.  When this software defect is exploited, the attacker can retrieve memory from remote systems such as Yahoo, Instagram,  and the Canadian Revenue Agency (where an attacker has been caught after stealing 900 taxpayer details).

Are you affected by Heartbleed? (from Heartbleed.com)
‘You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet.

Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions.

You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.’
A practical example of how people have been affected is this (Forbes 17th April 2014) ‘Mumsnet posted an article outlining how the attacker was able to log in as the founder of Mumsnet, Justine Roberts after using Heartbleed to steal her username and password. This demonstrates practically how Heartbleed could cause damage after many of the debates between experts last week.’

So what action should you take to stay safe online?

Your passwords for certain organisations/providers may have been stolen.  But if the organisation/provider has not yet patched the fault, you will be more likely to lose your details in the event of an attack.  You should be informed by your provider if there is any need to change your password. 

This has created a wealth of confusing and contradictory advice as to what to do, so I suggest you read this article below and take action.

On Mashable – The Heartbleed Hit List – the Passwords you Need to Change Right Now

Further Reading:
Avoid Heartbleed Hype
Password Best Practices

No comments:

Post a Comment