As if the end of support for Windows XP weren't enough of a technology headache for one week, a newly discovered security bug named Heartbleed is causing people and businesses to worry about their online security.
A Google researcher and an independent Finnish security firm discovered the bug in a type of software called OpenSSL, which is used by approximately two-thirds of servers to encrypt sensitive information. Even though the issue was discovered earlier this month, the problem has been in place since March 2012.
The name of the bug stems from its exploitation of the security protocol's “heartbeat” extension, which keeps the connection between the client and server alive. The bug can decrypt small packets of information that pass through the server and allow viewing by a third party.
What does this mean for you?
The Heartbleed bug could allow hackers and other ne'er-do-wells to access information on servers that should be encrypted. In theory, information passing through a very large number of websites could be vulnerable, including emails, instant messages, documents, passwords and credit card information. No one is really sure at this point how long, or even if, hackers have been accessing information on affected servers.
The fix is simple, but not
Fixing the Heartbleed vulnerability is easy, but it isn't exactly simple. First, the websites hosted on servers infected by the Heartbleed bug need to be updated to patch the vulnerability. The patch will prevent hackers from accessing any new data passing through the server, but it won't prevent hackers from using the information they already possess. In order to prevent further issues, you need to change your password for any affected sites as well.
Don't change your passwords yet
While your first instinct might be to immediately change all of your passwords, it's not a good idea yet. After all, changing a password for a site hosted on an infected server still serves up your information to anyone illegally accessing the server's information. You can go https://filippo.io/Heartbleed or https://www.ssllabs.com/ssltest, to check if a particular site has patched the vulnerability. Once the problem is patched, then you should change your password.
Alternatively, you will probably receive an email from any affected websites informing you that the vulnerability has been patched and requesting (or, in some cases, requiring) you to change your password.
Increasing your security
First, change the passwords on any sites that have been updated to patch the Heartbleed bug vulnerability.
Second, resist the temptation to use the same password for every site. In fact, it's best if you have different passwords for each and every site you use.
Third, rather than trying to remember dozens of different passwords, use a password manager. A password manager can not only remember and autofill your passwords for every website you use, it can generate unique and extremely strong passwords for you.
Finally, if a website, such as Google, allows you to use a “two-step” sign-in process, you should opt in. Two-step sign-in processes are, as you might guess, much stronger than the traditional log-in methods used by many sites.
So now that you know Heartbleed exists and what it can do, try not to panic. It certainly isn't the end of the world. Just take the suggested security precautions and change your passwords once the vulnerability is removed. Additionally, you may want to keep an eye on bank accounts and any websites that contain any sensitive information.
Casey L. Sipe is an attorney with Scaringi & Scaringi PC in Harrisburg, where he specializes in employment law and civil litigation. Email him at firstname.lastname@example.org.