Many people have heard of Heartbleed by now – the newly-revealed bug which is freaking everyone out.
For once, this freakout is NOT hyperbole. Heartbleed is very, very, VERY bad. World-renowned security expert Bruce Schneier says:
“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11. Half a million sites are vulnerable, including my own.
How can you protect yourself?
First, it’s not as easy as just changing your passwords ASAP. (I thought this was the thing to do at first – I was wrong.)
The problem is, Heartbleed is still out there – until a website gets patched, it is vulnerable. So changing your password on a still-vulnerable site is worse than doing nothing – you risk revealing your old AND new passwords.
So here is what to do:
1 – Check to see if a particular website is vulnerable or not – use this useful tool: http://filippo.io/Heartbleed
(I just checked Facebook, Twitter, Amazon, Google, Tumblr, Dropbox, Skype and they are all ok. Think of sites where you have to log in, or smaller ecommerce sites, or your webhosting company, or that site where you comment in the forums, etc, etc…)
2a – If a site is OK, then go ahead and change your password. YOU NEED TO CHANGE YOUR PASSWORD – DO IT. Make it unique to this site – don’t use it anywhere else. See below for some password tips.
2b – If a site is vulnerable, then DON’T EVEN VISIT the site, and ESPECIALLY don’t change your password. Anything you put into a vulnerable site, you risk being stolen. So stay away.
3 – If a site comes up as vulnerable, and you use the password for that site on other websites too, then CHANGE YOUR PASSWORD ON ALL THE OTHER SITES – provided they are safe. Same rules apply – make your passwords unique for each site.
4 – Turn on two-factor authentication – ie, mobile phone verification, or similar – for any sites that offer it. If you get a one-time code to log in to a site, it’s much harder for someone else to gain access to your account.
First rule is: all passwords should be unique. Don’t reuse a password on any other site.
Yes, I know – this is a real pain. I’m as guilty of this as anyone – I only had a few passwords, because otherwise I couldn’t remember them. But things like Heartbleed show why this really is very dangerous.
So, some strategies:
1 – Think of passphrases – several words put together. Add some numbers in, too – maybe some punctuation and capitals. These are much harder to crack, but also easier to remember than some random sequence of letters and numbers. xkcd explains why.
2 – To help remember passwords, consider having a theme, and varying the contents according to this theme. This means each password is unique, but not completely random.
For example, some passwords could be:
etc. (Don’t actually use these.)
WARNING: While this approach is effective against automated attacks, it may leave you vulnerable to a real person who manages to get hold of one password, works out your theme and hacks your password the old-fashioned way – by guessing. So don’t use it for anything really critical.
3 – Have different themes for different types of site. So don’t use the same ideas for social media as for online banking. At least this way if someone gets in to your Facebook, they can’t get into your bank accounts…
4 – Again, two-factor authentication – turn it on. Really. Do it. Google, Facebook, Dropbox all offer it – and lots more are starting to. It’s much, much safer.
Ok, that’s about it. I hope this helped.
Why is Heartbleed dangerous?
Some geeky stuff now. The bug known as Heartbleed uses cracks in the implementation of OpenSSL, a very popular open-source security protocol that powers the little “https” you see in front of a lot of web addresses.
The bug allows someone to read what’s in the memory (RAM) of a vulnerable server, in 64K chunks – that’s not a lot, but an attacker can do it again and again and again, all without leaving a trace. So it’s possible to build up a lot of data very quickly, and without giving any indication it’s happened.
Why is this a problem? When you log in to a website, your username and password will be in the site server’s memory – BAM, that’s your account compromised. You enter your personal details, address, mother’s maiden name, etc – BAM, that’s your identity compromised. You enter your credit card details – BAM, that’s your card cloned. You buy that awful goat pornography – BAM, that’s your public image down the pan.
And so on.
Heartbleed has just come to light, but that doesn’t mean hackers haven’t known about it for a while. And as Schneier says, this will have been a godsend for intelligence agencies around the world.