Heartbleed - what you need to know

heartbleedThe Heartbleed security scare made it into the public eye simply because of the scale, with nearly two-thirds of sites effected. But what is Heartbleed, why should you care and what can you do to protect yourself?

Whenever you visit a 'secure' website, such as a bank or shopping site you may have noticed a padlock in the address bar. This signifies that the site uses a technology called SSL (Secure Socket Layers) to encrypt the information between you and the website. There are various companies that provide SSL technology, one of which is known as OpenSSL. Two years ago a vulnerability was discovered that may allow a hacker to intercept information between you and the website, allowing them to steal usernames and passwords. As many people often use the same username/password combination this meant that not only were they vulnerable on the site they were visiting, but on every other site as well! Imagine that you use the same details for Amazon, eBay, PayPal and Tesco - a thief could steal your details from one site and go on a shopping spree with the others.

Why was it called Heartbleed?

The area that was affected by the hack was known as 'Heartbeat', so when the hack was discovered it was nicknamed HeartBleed.

What happened when it was discovered?

When it became public around March 2014 most sites immediately patched their servers, partially resolving the issue. However, anyone that had not changed their password (for any sites using the same combination) was still vulnerable. There are still hundreds of thousands of websites out there that remain unpatched. 

What can you do to protect yourself?

Firstly, you need to know the extent of the problem. You can check a website to see if it is currently affected here: https://filippo.io/Heartbleed/ but that won't tell you if it was affected in the past.

If a site has been patched then change your password immediately. If the same password is used elsewhere then change it in all places.

If a site has not yet been patched there is no point in changing your password as hackers could still be monitoring, but again check other sites that you have the same combination on and change them - at least they will be unaffected if a hacker runs rife.

lastpass

Finally, get yourself a good password management system. Lastpass.com is one such system, and is free (with paid options), and allows you to automatically create and store long and hard to crack passwords which will be unique to each site. You only ever have to remember one password, as once you log into the browser-based software it'll help you log into every other site with a simple right-click on the username field!

 

Print Email