What you need to do about Heartbleed

The Heartbleed bug has affected about two-thirds of the worlds websites

The Heartbleed bug is big trouble and it's affected about two-thirds of the world's websites.

That means virtually everyone should be taking steps to protect themselves, starting first by updating passwords for important online sites.

"It's like this is a huge Internet reset," said Steve Sundermeier, founder of Thirtyseven4.com, an Ohio-based security company. "It's pretty alarming. Users who thought they were doing the right thing now aren't secure. Everybody is kind of in the dark as to who actually was affected and vulnerable."

Security experts are still piecing together how much damage has been caused, or can be caused, by the Heartbleed flaw.

The vulnerability existed in OpenSSL, one of the Internet's most widely used encryption software packages, for about two years. It's not clear whether cyber criminals discovered the bug, which exposes users' most private, and trusted, communications - emails, banking transactions, credit card numbers and health records - to risk.

When users see the little padlock symbol in the corner of their screen, they generally think their communications are safe since they're generally protected by SSL encryption. But for the last two years, that wasn't the case.

Heartbleed, so named because it affects an SSL extension software programmers call Heartbeat, affects anywhere from half a million to a billion websites, depending on which security analyst you talk to. And it's not just websites that have been affected.

Steve Pate, chief architect with HyTrust Inc., a California-based security and compliance company, noted that the vulnerability also has affected a variety of devices, ranging from smartphones to home routers, tablets and laptops.

Many of those devices came installed with software that used the buggy Open SSL.

The biggest concern is not just that the bug is so widespread but that it affects the information users are most concerned about protecting.

"Open SSL is relied on by so many sites," said Chester Wisniewski, senior security advisor with Sophos, a security company based in the U.K. " It's what we rely upon for privacy and security, so it's the last thing you want to see made vulnerable. What does this affect? Everything. This is really messy."

Various tools have popped up to help people figure out whether their favorite online retailer, bank or social network is vulnerable, but they tend to only note if they're currently vulnerable. The tools do little to detail whether a site was vulnerable in the past.

If a site was vulnerable at any point, user names, passwords and other critical information may have been compromised.

Google, which owns the most-visited websites in the world, told Computerworld that it had been vulnerable, but its software has been patched and the sits are safe now.

A spokesman for Facebook, the world's largest social network with more than a billion users, also acknowledged that it was affected by the vulnerability, but has since fixed the problem. Yahoo, too, said its platform was vulnerable to Heartbleed but noted yesterday that it started workingto fix the problem as soon as it found out about it.

"We added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed, and we're continuing to monitor the situation closely," the spokesman said. "We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites."

Twitter, one of the top social networks and communication tools, reported that it was not affected.

So, what do companies and individuals need to do? The advice from nearly every security expert is to start updating passwords.

If anyone has shopped online, filled out their child's school forms online, done online banking or shared healthcare information online, they may be vulnerable.

The bigger issue is that many people use the same password for multiple accounts. For instance, they might use the same password to get into their Facebook account as they do for the company email or an online banking site.

That means if a cybercriminal has one password for someone, he might be able to use it to access multiple sites.

Change your passwords for each of your online accounts. And make sure each one is a strong, unique password, using at least six to eight characters, numbers and symbols.

"People typically have one or two passwords for everything, whether it's a social network or online banking or logging into their kids school network," said Sundermeier. "I do recommend that everyone starts changing their passwords. Nobody knows the extent of what was stolen. It's good practice to change your passwords every six months anyway. This is a very good time to implement this golden rule of safe computing."

Wisniewski noted that people need to check out the websites they use and make sure they've patched any vulnerabilities. If they change their password before the site is patched, they're still vulnerable.

To check a sites, several different tools are available, including the Heartbleed test, or this one from Qualy. The Chrome browser also has a plugin designed to alert users if they attempt to go to a vulnerable site.

Wisniewski advised people to change passwords for their 10 most critical websites, such as banking sites, credit card accounts, retirement or investment accounts, Facebook and Twitter.

Because the vulnerability has been around for a couple of years, people should be diligent over the next year, checking their credit card and banking statements for unusual activity. They also should monitor their email activity to see if they blasted out spam to their contacts, while also monitoring their social networks for rogue posts.

Enterprises should be immediately auditing their systems to figure out if any need to be patched and check to see if systems that deal with employee passwords are vulnerable because they use Open SSL.

Companies also should be telling employees to change their passwords - both work-related and personal -- while also making sure that each password is unique. And to ensure that employees actually follow through, companies should push out a forced password change.

Companies likely want to focus first on remote employees who establish connections through a VPN.

Even if an enterprise's own site is safe, employees should still change their passwords because they may have been affected by visiting other sites.

Sharon Gaudin covers the Internet and Web 2.0, emerging technologies, and desktop and laptop chips for Computerworld. Follow Sharon on Twitter at @sgaudin, on Google+ or subscribe to Sharon's RSS feed. Her email address is sgaudin@computerworld.com.

See more by Sharon Gaudin on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsecurityMalware and Vulnerabilities

More about FacebookGoogleInc.SophosTopicYahoo

CIO
ARN
Techworld
CMO