There's a good chance you have heard of Heartbleed. It has, after all, been causing the internet a great deal of heartache. This security cock-up has left a great portion of internet information unsecured.
On April 7, a fixed version of OpenSSL, which is where the issue lies, was released to seal up the security hole. It was also the time the issue was publicly disclosed and the full extent of the damage began to emerge.
Because the vulnerability is a problem at an internet level, Heartbleed has left vast swathes of private internet data prime for the pickings. Essentially the security keys used to keep your password and names you use to keep your data safe could be compromised by anyone with the know-how.
Large numbers of websites have been affected, including some of the biggest on the internet. So here's our guide to what Heartbleed is and how to protect against it.
Can I catch Heartbleed?
No, even if you frequent some especially dark corners of the internet. Although widely reported as a virus or hack, Heartbleed is actually a vulnerability. Imagine the internet is a castle and SSL/TLS encryption is a part of the wall and moat around it used to keep out invaders. A mistake by a German software programmer basically left a small door open in the wall for invaders to get in.
Should I be concerned?
Yes and no. Heartbleed makes it possible for people to extract sensitive data such as your name and password information thereby allowing them to impersonate you. It also means your personal internet life is open to other viewers, including (potentially) your bank account or credit card numbers.
A number of websites have already patched the OpenSSL vulnerability, but that is only half of the problem. You see, if somebody has managed to sneak into the internet castle through the aforementioned small door and has seen your password, no amount of security updates to a website will change that fact (unless the website forces a password reset, of course).
What precautions should I take?
Website Mashable created a usefulHeartbleed Hitlist. The list shows a number of the affected websites and the actions you need to take to be safe. The list is US-centric but it covers most of the major bases.
At worst you will need to reset your password so that anyone who knows your old password is no longer able to access your information. Facebook, for instance, requires a password change. Instagram, Twitter and Pinterest were also affected, while LinkedIn was okay because it never used 'the offending implementation of OpenSSL'. Some companies, such as Google, have advised a password change just to be on the safe side.
We would suggest you change any password where you have been advised to do so. It's a hassle, granted, but the alternative is somebody pretending to be you for criminal reasons.
There is, of course, little point in changing your password if the website involved is still yet to patch the problem. You will need to wait for confirmation before proceeding in this instance.
Can I safeguard against future vulnerabilities?
Technically when a software programming error or bug hands 'hackers' the keys to personal data there is little you can do. But you can at least limit the damage by having different passwords for every internet service you use. If your password is the same for everything it only takes one password leak for you to be vulnerable.
Use multiple passwords and consider changing them every few months or so. Avoid storing passwords and/or sensitive data on a device without a passcode, just in case you lose the device or it gets stolen.
A number of websites use two-step authentication. Google, for instance, requires you to enter your email address and password and then a six-digit passcode that is texted to you. Access is only granted if you have the two steps of authentication. This will make you more secure.
You could also use any tool that allows you to logout of any and all devices, Facebook being one example. This will force you and anyone else to re-login, which will require your new password. Therefore, anyone who shouldn't be looking will be locked out.
Anything else?
Most websites (affected or not) will have an official webpage, email or statement out there for the benefit of their users. A quick Google should bring up the spiel you need and any specific advice you should undertake to be safe.
More information on the complexities of Heartbleed can be found on the official Heartbleed website.
On April 7, a fixed version of OpenSSL, which is where the issue lies, was released to seal up the security hole. It was also the time the issue was publicly disclosed and the full extent of the damage began to emerge.
Because the vulnerability is a problem at an internet level, Heartbleed has left vast swathes of private internet data prime for the pickings. Essentially the security keys used to keep your password and names you use to keep your data safe could be compromised by anyone with the know-how.
Large numbers of websites have been affected, including some of the biggest on the internet. So here's our guide to what Heartbleed is and how to protect against it.
Can I catch Heartbleed?
No, even if you frequent some especially dark corners of the internet. Although widely reported as a virus or hack, Heartbleed is actually a vulnerability. Imagine the internet is a castle and SSL/TLS encryption is a part of the wall and moat around it used to keep out invaders. A mistake by a German software programmer basically left a small door open in the wall for invaders to get in.
Should I be concerned?
Yes and no. Heartbleed makes it possible for people to extract sensitive data such as your name and password information thereby allowing them to impersonate you. It also means your personal internet life is open to other viewers, including (potentially) your bank account or credit card numbers.
A number of websites have already patched the OpenSSL vulnerability, but that is only half of the problem. You see, if somebody has managed to sneak into the internet castle through the aforementioned small door and has seen your password, no amount of security updates to a website will change that fact (unless the website forces a password reset, of course).
© stock.xchng
What precautions should I take?
Website Mashable created a usefulHeartbleed Hitlist. The list shows a number of the affected websites and the actions you need to take to be safe. The list is US-centric but it covers most of the major bases.
At worst you will need to reset your password so that anyone who knows your old password is no longer able to access your information. Facebook, for instance, requires a password change. Instagram, Twitter and Pinterest were also affected, while LinkedIn was okay because it never used 'the offending implementation of OpenSSL'. Some companies, such as Google, have advised a password change just to be on the safe side.
We would suggest you change any password where you have been advised to do so. It's a hassle, granted, but the alternative is somebody pretending to be you for criminal reasons.
There is, of course, little point in changing your password if the website involved is still yet to patch the problem. You will need to wait for confirmation before proceeding in this instance.
© Rex Features / Mood Board
Can I safeguard against future vulnerabilities?
Technically when a software programming error or bug hands 'hackers' the keys to personal data there is little you can do. But you can at least limit the damage by having different passwords for every internet service you use. If your password is the same for everything it only takes one password leak for you to be vulnerable.
Use multiple passwords and consider changing them every few months or so. Avoid storing passwords and/or sensitive data on a device without a passcode, just in case you lose the device or it gets stolen.
A number of websites use two-step authentication. Google, for instance, requires you to enter your email address and password and then a six-digit passcode that is texted to you. Access is only granted if you have the two steps of authentication. This will make you more secure.
You could also use any tool that allows you to logout of any and all devices, Facebook being one example. This will force you and anyone else to re-login, which will require your new password. Therefore, anyone who shouldn't be looking will be locked out.
Anything else?
Most websites (affected or not) will have an official webpage, email or statement out there for the benefit of their users. A quick Google should bring up the spiel you need and any specific advice you should undertake to be safe.
More information on the complexities of Heartbleed can be found on the official Heartbleed website.