Unless you’ve been living under a rock, you’ve probably heard of the Heartbleed bug.
But what is it and what can you do to protect yourself? Read on to find out.
IvyCat Servers are Secure
Before we go on to discuss the bug and what it means to you, we at IvyCat want to reassure you that we immediately updated our servers the moment this news broke. IvyCat has successfully secured all our servers and our customers’ information is safe.
What is Heartbleed?
Officially called CVE-2014-0160, the security firm, Codenomicon, is responsible for offering us the much sexier alias, “Heartbleed.” (Apparently, Codenomicon knows a thing or two about names…is that not one of the best company names ever? But I digress…)
It was Codenomicon, along with Neel Mehta from Google, who first discovered the vulnerability and set the interwebs on fire.
Quoted in a recent CNET article, Codenomicon explains how they immediately set out to test the Heartbleed bug on its own servers:
“We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication.”
According to USAToday, the NSA has known about and exploited the Heartbleed for two years and has used it to gather intelligence. Can’t say I’m a big fan of that.
What’s It Mean?
SSL stands for Secure Sockets Layer. Basically, it is used to provide communication security throughout the internet by encrypting sensitive information (like your passwords, emails, credit card numbers, instant messages…basically, anything you wouldn’t want a stranger to be able to access.)
The Heartbleed vulnerability involves specific versions of OpenSSL, an open source SSL used by an estimated 66% of the internet, as stated in a recent NetCraft survey.
According to Heartbleed.com, a site created by Codenomicon to help explain the issues, versions of OpenSSL1.01 through 1.01f are vulnerable and have been “out in the wild” since early 2012.
What Can You Do?
CNET has compiled the top 100 sites on the web and is monitoring them for the HeartBleed vulnerability. They will keep this list updated daily: Check which sites have been patched.
To learn more about the details of the bug, including which open source operating systems may be vulnerable, visit Heartbleed.com.
If you have a question about the security of a specific site, don’t hesitate to contact them directly. It’s your information at risk and you have a right to be informed.
The most important thing you can do to protect yourself today is to change passwords on affected sites, after they’ve been patched. I know it’s a major pain in the patooty, but not as much of a pain as having your banking information stolen…trust me on this.
The implications of the Heartbleed bug are huge. It serves as a reminder to us all to never become too complacent when it comes to internet security. Regularly changing your passwords is always a good practice.
Reissue SSL Certificates
While this is a newly-reported vulnerability, and there aren’t confirmed reports of it being used to exploit sites (of course, it doesn’t leave a trace in server logs), there’s a possibility that bad guys have known about it for a while.
So, if you’re running a popular site and take personal or confidential information, you may want to generate new CSR and re-issue your SSL certificate. If this sounds like Greek to you, ask your web developer or hosting company for help.
Please share your thoughts on the Heartbleed bug and security in general in the comments below.
At IvyCat, we use 1Password to generate unique, secure passwords and we highly recommend that our customers use a good password management system like 1Password or LastPass to manage the ever-growing list of passwords.
In light of the Heartbleed vulnerability, Dave Teare and the folks at AgileBits are offering 1Password at 50% off during their Heartbleed Sale, so jump on over and save 50% on this terrific security product!
Tip: Want to check your SSL certificate to make sure it’s installed and configured correctly and see if it’s vulnerable to the Heartbleed exploit?
Use this handy tool from Digicert:
Tick the box to Check for Heartbleed vulnerability.