Heartbleed — the quick, dirty, and reasonable what-to-do story

by Bob Sullivan on April 10, 2014



Heartbleed is the latest guts-of-the-Internet calamity that you should know about, but can’t really do much about. In short, the very thing that was designed to keep Internet communications secure — part of the system that puts that little lock next to your web addresses on top of your browser pages — was badly broken. The flaw allows bad guys to steal names, passwords, credit cards, even encryption keys. The faulty software is used to some extent in nearly two-thirds of all websites, though a number far less than that is actually vulnerable. It’s also a flaw with a cool name, which means big media folks are jumping on the story.

It’s quite real, however. Bruce Schneier, a geek’s geek, calls the Heartbleed problem an “11 on a scale of 1 to 10.” Still, as a consumer, there’s really only one thing to do: Watch all your critical accounts carefully during the next few weeks, just as you did after the Target leak. Report suspicious activity immediately.

Sign up for Bob Sullivan’s free email newsletter.

About those passwords: It’s probably a good idea to change your passwords, as it always is, but there are conflicting opinions about whether to do that now or a few weeks from now, as criminals might still be using the flaw to steal your data at various websites. You can’t go wrong by changing it now and again a month from now if you are nervous, but you will probably be fine if you wait a month.

Here’s some things you might not have seen in all the coverage.

* Folks are taking this *very* seriously. In Canada, they’ve shut down online tax payments in reaction to the bug
* The whole impacts two-thirds of the Internet thing is a misstatement. Two thirds of websites use open source products that use OpenSSL — the flawed software — but many of them don’t implement it in a way that leaves this vulnerability open. The Washington Post actually says only 50 of the top 1,000 sites are vulnerable. It’s likely that researchers will discover other implementations that are vulnerable, however, so it’s still a little hard to say how widespread the actual vulnerability is.
* There is a huge difference between a flaw discovered (Heartbleed) and a crime in progress (Target). It’s quite possible no one’s data has been stolen when the flaw was announced (though folks assume the NSA was stealing everyone’s data using this flaw) UPDATE 4/11 at 3:45 p.m. ET. Bloomberg now reporting that the NSA did know about the flaw and was exploiting it, leaving us all at risk.
* On the other hand, as Brian Krebs points out, the moment this flaw WAS announced, bad guys created a tool to exploit it, and you can bet they are rampaging around the Internet right now, gathering up as much digital booty as they can before all flawed software is updated.
*This is a HUGE headache for tech guys. Not only can bad guys steal credit card info, they can steal security keys that make SSL work. So all affected have to trash their keys and start over. Major bummer. Every time one of these Internet guts flaw stories come out, IT folks get more gray hair. Be nice to them this week.
* You didn’t think that little lock was keeping you safe anyway, did you? As a reminder, SSL (that little lock) only protect data in transit across the Net. It does nothing to keep huge databases of info stored on hard drives safe.
* And a couple of useful links: Mashable has a tidy list of sites impacted (and not impacted) by Heartbleed. Worth a look. And maybe it’s time to think about using password management tools? LastPass has a neat feature which reminds you when you last changed your password. (thanks, Lifehacker)

Sign up for Bob Sullivan’s free email newsletter.

Previous post:

Next post: