Over the past couple of weeks, there has been much media coverage and talk about the recent security scare discovered by Google's security team. While the media is talking about the vulnerability dubbed "Heartbleed", there is little coverage as to what it actually is, whether you are affected and what you can do about it. I will shed some light and give you the straight facts about Heartbleed.
What is it?
When you log in to any secure website, you might have the safety and peace-of-mind by seeing a lock icon or an "https" in the web address. This is to ensure you that your data is being secured as it travels across the Internet, and this technology is called "SSL". "TLS", a version of SSL, is what is affected by Heartbleed.
The Heartbleed vulnerability makes your web traffic viewable even with SSL. If you log in to your Yahoo! E-mail account, for example, you are communicating with a Web Server that is owned by Yahoo. After your log in information reaches Yahoo's web server, it could be viewed after the fact by someone who simply snoops on that server's Memory. This, in a nutshell, is the Heartbleed vulnerability, as your data "bleeds" over into the memory in an insecure fashion.
How to protect yourself
The question I have been getting a lot recently from those concerned about Heartbleed is what they can do to protect themselves. In many cases with vulnerabilities, there are generally some steps you can take to protect yourself and become less vulnerable. However, in this case, there is actually little "you" can currently do.
This vulnerability affects a very popular server type, which is the type that is used by Amazon, Facebook, most U.S banks, e-mail providers, mobile apps, etc. Because Heartbleed affects servers specifically, it is up to the organizations to patch this security flaw.
However, there are some steps you can take to be proactive:
Keep an eye out for headlines and announcements from your bank, e-mail account provider (ie. Yahoo, Hotmail, etc.) for news regarding Heartbleed. When there is an announcement that Heartbleed has been patched by the website you use to log in to your accounts, immediately change your password and other security information.
If the website you use to log in to your accounts provide two step authentication, always set that up. This could be something such as you having to use a password and input a verification code via text message to log in to your account. Most banks provide this option, and I would highly recommend it.
Heartbleed has already been to blame for various bank account attacks throughout Canada. This is a vulnerability that almost everyone is affected by at some level, and until organizations step up to the plate and begin patching their web servers on a large-scale, the attacks will continue. Fortunately, many websites such as Facebook and Twitter have already patched Heartbleed. The damage that remains can only be determined until after the threat is over. In the meantime, stay pro-active by changing your login credentials and increasing your authentication after it has been announced that Heartbleed has been patched on a wide-scale.
MATTHEW SGHERZI lives in Tehachapi where he has operated an IT business since 2007 (tehachapicomputers.com).