What is Heart Bleed & why do I care?
Heart Bleed is a major bug in the software that secures most of the Internet. Whether you’ve heard of it or not, it affects some of the websites you visit most and trust with valuable information. Facebook, Google, Instagram, and Yahoo! are just a few of the companies which have reported patching their software to address Heart Bleed.
How does Heart Bleed work? The xkcd web comic provides a good illustration; essentially, by crafting a special sort of request to a web server, an attacker can cause the server to inadvertently reveal private data. That data could be almost anything: text, user data, or—most worrisome—the “keys” that ensure your connection to a website is secure. With these keys in hand, an attacker can pretend to be a service you trust and intercept your information as you send it over the web.
What Should You Do?
That’s all very scary, but what should you do to protect yourself from Heart Bleed? There are a few good guidelines which you should follow in any case, but particularly now that such a major vulnerability has affected so many websites.
First of all, you should reset your passwords on sites affected by Heart Bleed. Mashable has a good list of popular starting places, but if you receive email notifications from other sites then heed their warnings. There’s no point in resetting a password if the site is still susceptible to Heart Bleed, however, so it’s worth waiting until you know the website has patched their software. Curious if a site is still exposed? Security company LastPass has a Heart Bleed checker which you can use.
Secondly, while you go about resetting passwords and creating new ones, refrain from reusing passwords across important accounts. Why? If one site has a data breach and gives up your password, attackers can then use that password elsewhere to get to more sensitive data. So if I use my email and password on silly-game-site.com and they accidentally expose my user credentials, attackers know to try my email provider and other major services (e.g. Facebook) using the same combination. When you reuse a password, all of your accounts are only as secure as the weakest one.
Passwords aren’t the only form of protection available on the web. Many sites, including virtually all of the ones named in the first paragraph of this post, support two-factor authentication. Essentially, once you’ve activated two-factor authentication, you receive a text message with a secret code after submitting your password but before you’re allowed in. Since an attacker may know your password, but not be able to read the text message, your account is much more secure. LifeHacker has a great guide on setting up two-factor authentication on several popular services.
Even if you don’t think an account has valuable information, it’s worth not letting it fall into the wrong hands. Attackers can use your email accounts to send out spam to your contacts, take out loans using your bank account, or sign up for credit cards in your name with your social security number. Just a few pieces of personal information can be used to impersonate you online or steal your identity. Impostors can do irreparable harm, damaging everything from your credit score to your reputation. If you take your personal information seriously then you should be careful which services you trust, use strong password practices, and react quickly when data breaches or bugs like Heart Bleed occur.
Mashable has another good post explaining why Heart Bleed is a nightmare and should be taken seriously. The Heart Bleed website has technical details for those interested in what exactly it is and which versions of the OpenSSL software it affects.
We here at Chesapeake happen to run server software which isn’t vulnerable to the Heart Bleed bug, but we have also proactively contacted the third-party sites which host some of our services (such as Canvas and MyCampus) to ensure that they’re taking the necessary steps to protect your privacy.