The Heartbleed security flaw is making news because the defect, which potentially allows the message to be intercepted and read and all the information on a server to be harvested by criminals or governments, is in the software, OpenSSL, that performs the "s" function. This is/was a serious issue that probably impacts everyone who is reading this.
The best information I can find instructing you on what you should do is this:
- Understand that every site where https: is used has potentially been compromized, but not all sites.
- Understand that all network-oriented hardware, from routers to smartphones, can be compromised, but not all.
- The compromised sites and manufacturers must identify the impact, update the OpenSSL software to plug the hole, and reissue new "certificates." Without reissuing certificates, even the fixed software is compromised.
- Once the new certificates are issued, the compromised sites and companies should notify you to change your password. (If you are very concerned about a site or company, you can change your password now, even before a new certificate is issued. However, when the new certificate is issued, you will need to change your password again.)
Kim Komando's Article (with some info on password managers removed):
In case you missed it, the big news of the week is the “Heartbleed” bug that’s been exposing sensitive information on two-thirds of the websites on the Internet for the last two years. Yes, it’s as bad as it sounds. Earlier in the week, I wrote a tip describing how Heartbleed works and how to stay safe. If you missed it, click here to read it. However, I’ve gotten lots of questions asking for more detail on a specific suggestion I made for staying safe. So, here it is, in more detail. And this advice isn’t just for Heartbleed; every computer user needs to know how to do this one thing. I am, of course, talking about the right way to change your online passwords. Even if you think you know how, read on to make sure you aren’t missing an important step.
Controversy: There is still some debate about when you should change your online passwords in response to Heartbleed. If you change a password before Heartbleed is fixed on a site, hackers can get your new password and you’ll have to change it again. On the other hand, hackers might already have your information and could use it at any moment if you don’t change your password. So, it’s really up to you how you want to proceed. I think changing your password immediately is better, but I understand it makes things more difficult. Let’s be honest; Heartbleed is a very difficult problem, for all of us. Fortunately, most of the major sites have updated their servers at this point, so it should be fine to change your passwords. Click here to see which major sites were affected. For smaller sites, you can check to see if they’re still a threat with these sites.
I recommend the following process for dealing with Heartbleed:
1. CREATE A LIST OF SITES
2. PRIORITIZE
3. MAKE NEW PASSWORDS
4. CHANGE YOUR PASSWORDS
5. AVOID SCAMS
Start with a list of the websites where you have accounts. This is probably going to be a long list, but it can’t be helped.
Find out which sites Heartbleed affected from this list. That list sticks mostly to major sites, so for smaller sites use these tools to see if Heartbleed is still a problem. Move the most sensitive sites, like email and social media, to the top of the list and work your way down to the least important.
Note: Major bank sites didn’t have a problem with Heartbleed. However, if you used the same password for other accounts as you did for your banking account, you need to change that as well. (Editors note (DGL): I question this. I will create other blog entries that demonstrate that some major banks do have a problem, if not in the software itself, then in their hardware.)
If you’re changing your passwords, obviously you need to make new ones. Be sure they’re strong and unique for every site. Click here for my steps to creating strong, unique passwords that are easy to remember.
Bonus tip: Don’t forget to beef up your security questions while you’re at it.
Visit the first site on your list and log in to your account like you normally would. The option to change your password is usually under the Profile or Settings section. If you don’t remember your password or are having trouble finding where to change it, click the “Forgot password” link. This is usually near the sign-in area and will eventually land you on the page to set a new password.
Bonus tip:If the site is one you haven’t used in a while, think about if you actually need an account. If you don’t, close out your account or replace your information with junk information. A site like AccountKiller will tell you how to close your account on most major websites. Once you’ve changing a password, cross that account off your list and move on to the next one. Once you’re done, keep the list handy for reference in case a site you might have forgotten pops into your head later. You can check to see if you already hit it.
Warning: Scammers
Scammers are going to use this Heartbleed situation to try and trick you. Lots of real sites are sending out email asking you to change your password. Scammers are going to try slipping some fake email into your inbox as well. The ironclad rule is to never click on an email link to change your password (or for any other in an unsolicited email). Always go to the site yourself and follow the directions I gave above. Links in fake email will take you to malicious sites, or a page that looks like the legitimate site’s login page. If you put in your password, hackers will have full access to your real account. So, be careful. Want the latest on the Heartbleed virus and other new threats? Be sure to visit my blog regularly.
No comments:
Post a Comment