For anyone who uses the internet for things such as online e-mail, social networking, internet banking or buying things with credit cards, Paypal or Bitcoin, PAY CLOSE ATTENTION! Heartbleed is a vulnerability attack on several websites that use the OpenSSL encryption protocol. It’s been the backdoor to encrypted information for a number of well-known websites in the last 24 hours and has extreme ramifications for a lot of services, least of which is identity theft. Follow me after the jump to see a list of sites still and previously vulnerable, as well as precautions that you should probably take right now if you know how.
Google’s services are now safe to use as the search giant found and fixed their Heartbleed vulnerabilities. Over a day later after security firms went around in a mad dash to fix the vulnerability, most web services are now safe to use and won’t see an issue like this again. Still, it remains a good idea to change the passwords to services and accounts that you consider important and this is especially crucial in the case of Yahoo services like Yahoo Mail, Tumblr and Imgur.
On the local front, most websites have been proactive and have taken steps to close up any possibility of future Heartbleed attacks. ABSA Bank has also announced via Twitter that their online services are not affected by Heartbleed. If you’re still in doubt, use the Heartbleed checker to make sure the sites and services you use that use OpenSSL encryption are safe.
Precautions to take right now
If you haven’t already done so, here’s a short list of things you can do to prevent being affected by the Heartbleed attacks. Although the vulnerability allows hackers to only look at encrypted data and a portion of encryption keys used by servers, many of these have hooks into other devices and applications that you may use already. If any of these have critical information relating to your bank accounts or personal information, you need to analyse your risk and do the following:
Log out of all your mobile applications on your cellphones, tablets or laptops and then log back in. This is to clear security tokens that Heartbleed may have stolen in order to gain access to your accounts.
Log out of your social networks, online e-mail clients and picture hosts like Photobucket and then log back in.
Change the passwords to services you subscribe to that send you e-mail notices about Heartbleed. Just to be safe, if you’re particularly paranoid, change all of your passwords everywhere.
If you’re on Ubuntu Linux or Linux Mint, update your OS now. Debian-based Linux distributions are partially affected by the hacks and need to be secured with an urgent patch that will become available soon (no mention of when). If you’re on other Linux distros, update your OS as well if there are any patches outstanding.
Set up two-factor authentication on any sites that host critical services that have personal information. This applies to logging in to Google, Outlook.com, Facebook, Twitter, Yahoo, iTunes, Dropbox for Windows clients and LinkedIn, which all support two-factor authentication using mobile phones.
Many other sites and services don’t use OpenSSL and aren’t affected by the vulnerability, but the precautions are to stop social engineering attacks from occuring using information stolen via Heartbleed.
Which sites have been attacked?
A list of sites was generated on 8 April by LulzSec hacker Mustafa al-Bassam and, among them, are familiar URLs like Imgur, Yahoo.com, Flickr, Tumblr, XDA-Developers.com, Duck Duck Go (anonymous search engine), Infowars, uTorrent.com and World of Tanks.com. You can access the list here for reference, although many of these sites have people working on patches for them already. As for the prominent sites that have been vulnerable to attacks in the past 24 hours…
Electronic Frontier Foundation
The list of affected services and websites continue and you should, at the very least, check out the URLs of all the sites you visit using this handy Heartbleed checker.
What passwords should I choose?
Most sites and services accept password that are between 8-16 characters in length and if you ask any security consultant to give you an example, it’ll be the most convoluted form of gibberish that you can’t hope to ingrain into your mind.
What you should do is settle on a password at least eight characters long that can’t be found in a dictionary or in an online search. Then add on a second four-letter word that is unrelated to the first word. Then change some letters to uppercase, add in at least two punctuation marks like a question and exclamation mark and substitute some latters with numbers.
Now memorise that and if, you write it down, never let it be known to anyone else. Alternatively, use a password manager to store your online passwords that will be created at random, with you only having to remember one password to get into the manager. Lastpass does this pretty well and has services for mobile devices like tablets and phones as well, should you decide it’s worth the extra money.