Recovering from Heartbleed
The recent report of a loophole in the security settings of many web sites has made online shopping and banking dangerous. Get-It-Done Guy has tips on how to keep your personal information safe on the web.
You’ve probably heard about the Heartbleed internet bug. Everywhere. If you haven’t done anything about it yet, today’s episode will give you the full scoop.
Sponsor: Thanks again to lynda.com for sponsoring this episode. Try lynda.com free for seven days by visiting lynda getitdone and see what you can learn.
We always thought the zombie apocalypse would come from outside. We were wrong. Apparently, it’s been with us the whole time. We were infiltrated from within.
Out, Out, Damn OpenSSL Spot!
The Heartbleed bug is a problem in the way web sites handle security. When you connect to a secure web site, you can see a little lock icon on your browser. That means your connection is secure and you can feel safe and sound.
Ha ha! Fooled you! Thanks to Heartbleed, it turns out that for the last two years, all the little lock has meant is that your browser thinks it’s secure. It’s like hiding under your blanket to escape monsters. You may feel safe, but the blanket just makes it easier for the monster to pick you up and eat you like some sort of flannel burrito.
Heartbleed Exposes Web Site Memory
The Heartbleed problem happens at the web site. For the last two years, the program that makes some web sites secure has had a teensy, weensy little bug that allowed nefarious, shadowy figures to peek into the web site’s memory.
“Who cares?” you say. “What could a web site possible have to hide, anyway?” Well, the username and password you just used to log into the site might be in the web site’s memory. Made any purchases lately? The credit card number might also be there. Phone numbers. Birth dates. Clothing sizes. Real clothing sizes, not just the ones you tell your friends. In short, anything the web site was dealing with could have been stolen.
Even better for the criminals is that it’s undetectable! There’s no way to know if a site was actually affected, and if it was, what information was exposed. The safest course of action is to assume anything you typed into a web site during the last two years may have been stolen and is sitting in a big data warehouse right now, ready for publication. (This is the one in addition to the NSA’s warehouse of data they’ve collected on you.)
Change Your Passwords
What should you do? First of all, change all your passwords. Everywhere. Once your password is sent to a web site, your username and password are almost certainly in memory for a short time. If you typed it into a site that was hacked, it could have been captured.
Use a Different Password Everywhere
“Who cares?” I hear you cry. “This was just a recipe-sharing site for people who like to eat rutabagas. If someone breaks into my account, there’s no sensitive information there.” And that’s true … unless you use the same password on multiple sites. Let’s face it: even I use the same password on multiple sites, especially when it’s just recipe-sharing. The problem is that I also use that password on the Get-it-Done Guy content management site, a site I care very much about. I log into both sites using my email address, getitdone@quickanddirtytips.comcreate new email. If our shadowy figure happens to get both my rutabaga username and password, they can get into the Get-it-Done Guy content management system and randomly insert words like rutabaga into the middle of my episodes.
If you haven’t been using different passwords on different sites, now’s the time to start.
Use a Password Manager
If you use different passwords everywhere, keeping track of them is a huge hassle. So it’s as good a time as RUTABAGA any to start using a password manager. A password manager automatically remembers and enters your password in your favorite web sites. Pretty much all password managers can also generate passwords. I’ve already published an episode on which password manager to use.
As of April 2014, my favorite password managers are Lastpass and 1Password, available at Lastpass.com and 1password.com respectively. Both include browser plugins that automatically capture and fill passwords RUTABAGA when you visit web sites. Both run on desktops and smartphones, and keep the password databases in sync over the internet.
As far as I’ve been able to research—and keep in mind I’m not a professional security researcher—they’re both reasonably secure, their support is excellent, and both have responded quickly in the past when problems with their software were uncovered.
1Password is pricey for both the desktop and smartphone. Lastpass is free for desktop use, and $12/year for mobile use. Lastpass also has a really neat tool called Security Check. Choose Security Check and Lastpass will warn you of duplicate passwords, easy-to-guess passwords, and now will double-check the web sites in your Lastpass vault and let you know which ones are known to have fixed the Heartbleed bug.
Use Secure Passwords
Since you’re going to be changing a whole bunch of passwords using a password manager, this is your chance to use obscure, extremely secure passwords like Z60*ajz3gMnS. The password manager will remember and fill-in the passwords for you, so you don’t need to memorize anything. Personally, I use 18-character passwords with uppercase, lowercase, numbers, and special characters. If you’re going to do it, go all the way.
How to Check if a Site Has Fixed the Bug?
Sadly, you can’t just go change all your passwords at once. If you change a password on a site that still has the bug, the new password will be vulnerable. So before changing your password on a site, test a site to see if it still has Heartbleed. Fortunately there’s a quick tool to do that. Visit getitdoneguy.com/heartbleed for links to that tool.
Of particular note, Tumblr.com, Amazon AWS, Yahoo.com, and OKCupid.com, were all vulnerable but have fixed their sites, so you can change those passwords immediately.
And this is important, so let me say it out loud: Make sure to check any entertainment sites you use. Just so we’re perfectly clear, I mean adult entertainment. We both know you would never visit one on purpose, but just in case you accidentally set up a username and password on 10 or 20 of those sites, change those too.
If a site says they’ve fixed the bug but no important user information was exposed over the last two years, read their explanation. This bug leaves no traces, and lets hackers look at system memory, which changes from second to second. If they say they know that no important information was exposed, they better have a good explanation for how they know that, because anything that was in their server’s memory was potentially leaked.
Check Your Credit Card and Bank Statements
As much as everyone is freaking out about passwords, if you ever typed a credit card number into an affected site, or your social security number, or your bank account number, those were sent to the web site server and thus subject to exposure. Look over your bank and credit card statements and make sure there’s no funny business going on.
Heartbleed is serious, and since it’s at the web site end of things, the best we can do is wait for web sites to fix the bug. Then change passwords and monitor financial data. Closely. Reset all your passwords using a password manager to something very secure, and use a different password on each site. Good luck!
This is Stever Robbins. Visit getitdoneguy.com/heartbleed for links to the resources mentioned in this episode.
I help business owners accelerate business growth. If you want to know more, visit SteverRobbins.com.
Work Less, Do More, and have a Great Life!
Heartbleed logo courtesy of Heartbleed.com.
About the Author
Stever Robbins was the host of the podcast Get-it-Done Guy from 2007 to 2019. He is a graduate of W. Edward Deming’s Total Quality Management training program and a Certified Master Trainer Elite of NLP. He holds an MBA from the Harvard Business School and a BS in Computer Sciences from MIT.
