Heartbleed Bug Aftermath: How You Can Protect Your Online Accounts
Bruce Schneier, a well-respected expert in the online security industry, discussed the Heartbleed bug on his blog and described the devastating effects of the newly discovered security hole as, “On the scale of 1 to 10, this is an 11.” Sadly, Schneier was not exaggerating. The extent of the security threat is huge. Netcraft estimates that the bug affects roughly half a million websites, including Dropbox, Facebook, Google, and Yahoo.
What Is the Heartbleed Bug and Why Is It a Cause for Concern
First publicized on April 7, 2014, Heartbleed is an OpenSSL flaw, a bad code that may have been inadvertently introduced by the developers of OpenSSL. It has existed since December 2011.
SSL (Secure Sockets Layer) is the encryption protocol used for securing the data transmitted between the browser and the Web server. OpenSSL, on the other hand, is the open-source deployment of SSL and TLS (Transport Layer Security). Popular among web administrators, the OpenSSL implementation can be found running on 66 percent of the web.
The Heartbleed bug wreaks havoc by allowing a remote attacker to read the Web server’s memory, which could likely include the private encryption keys. This means the attacker can simply lift data that is supposed to have been secured via the SSL/TLS encryption protocols. According to the Finland-based software security company, Codenomicon, which first discovered the bug while working with a Google researcher, Heartbleed can leak usernames and passwords, files, instant messages, and email messages.
What Can You Do to Protect Your Personal Data
Don’t scramble to change your passwords–not yet, anyway. Wait until the service provider has successfully patched its website, according to an email sent by Codenomicon’s Ari Takanen to PC World. If you change your password before the patching is completed, you could end up contributing to the leaked server information that can be stolen.
There are online checkers available if you want to check whether or not the website you are using is still infected by the bug. These three Heartbleed checkers can help you: filippo.io/Heartbleed, lastpass.com/heartbleed, and ssllabs.com/ssltest. If the website is still not patched by the server, don’t use it until it’s clear for you to do so. The Heartbleed bug can only expose the information on the Web server’s memory. So, it is best not to introduce new data that can be potentially intercepted, most especially your new password. In case of an attack, your data has to be contained in the Web server’s memory for it to be exposed. Now that the bug’s existence has been widely publicized and attackers may be taking advantage of the websites that have yet to issue patches, changing your password on an unpatched site can be more disastrous than taking no action.
The presence of an encryption error like Heartbleed should make you more security-conscious with your online data. Consider these two effective means to lock down your online accounts: a two-factor authentication and a password manager.
A two-factor authentication necessitates entering a code before gaining access to your online account. This code is normally generated through a smartphone app or an SMS text message. With a two-factor authentication, you add a layer of security to your online account because the extra login step is difficult for an attacker to duplicate.
Another smart way to protect your various online accounts is to use a password manager. Examples of password management services include Dashlane, KeePass, and LastPass. Equipped with secure notes and auto-fill capabilities for completing online forms, a password manager simplifies the task of regularly randomizing your passwords and keeping track of them.