Heartbleed – What you need to know, what you need to do.

In the last few days, the buzz on the net has been all about Heartbleed, a serious vulnerability in sites we have all trusted and thought to be secure. Heartbleed is not your typical virus that can be caught by your antivirus software but a security flaw that has been affecting OpenSSL web servers unknowingly since March of 2012. The fix for the bug was released on April 7th, 2014.

First question, what is OpenSSL?

We are familiar with SSL/TLS (Secure Socket Layer and Transport Layer Security) from setting up our emails, and using secure websites that use the “https://” prefix. OpenSSL is the open source version of these and all are used to secure your information as it is transmitted over the web. What Heartbleed does is allow cybercriminals to see the memory of the affected sites and read the information you enter, including passwords.

Evident IT - Winnipeg IT Support

Wait, are open source programs safe?

Yes, open source programs are used widely and safely. Some even say that because the developers of open source software are aware of potential criticism they strive to make their programs safer and easier to use than proprietary software. The Heartbleed bug was caused by a programming error that was fixed as soon as it was caught. The same thing happens in proprietary software and those developers react the same way, quickly and efficiently.

Who is affected?

Everyone can be, either directly or indirectly as the bug allows hackers to impersonate a site and collect a user’s information. Social media, email and commerce sites can all leave your information vulnerable. The list of sites that are affected is constantly being updated as the teams at places such as Instagram, Yahoo and Google quickly installed the update and plugged the hole.

For Canadians the most noticeable site to take action to protect against Heartbleed is Revenue Canada. The CRA shut down access to its online services on April 9th and will reopen when they deem it safe to do so. This does not mean that your information is at risk, the CRA itself is NOT affected by Heartbleed. They are taking precautions because some third party software programs have been affected. Revenue Canada has taken a preventative stand, as opposed to the IRS which is leaving the responsibility in the hands of the taxpayer to protect their information.

What do I do now?

It is estimated that 66% of websites use OpenSSL. Most of these will never affect you or anyone you know. While you are always reminded to change your passwords on a regular basis, right this minute may not be the ideal time. You need to make sure the site has updated and is no longer vulnerable. There are sites that can let you know if a site is considered vulnerable or not. Now, change all your passwords. Remember, don’t use the same password for multiple sites and make sure you are creating secure passwords using a combination of letters, numbers and symbols.

If in doubt, call us. Evident IT is always here to help.