Heartbleed
Everyone is shouting about it so I thought I’d chip in too. Despite the massive media coverage there is still a lot of confusion out there about this so these are my thoughts on the matter. This issue is going to continue in the news for weeks as various devices and websites are found to be affected. The chances of it affecting any one individual is vastly remote, but like the lottery no matter how long the odds it will affect some, maybe many, people.
What has it taught us?
-
No one company, no one site, no one software package, no one software type is safe (most of us knew that already)
-
The simplest mistake can cause the most severe risk
-
This bug is a potential risk, not a known risk. There is no way to prove whether any one website has been accessed unless the hackers tell you (like MumsNet), nor if it has whether they received any data. It is possible, but so are many things.
-
A single password is only the most basic of protection
-
As an individual there is very little you can do about the problem, only the simple steps below which are general good practice.
Should I change my password right now?
In short no. In the next few months is it worth changing your frequently used passwords? Definitely. Make sure that the service you update your password on is fixed first or the very action of logging in to change you password could expose your details to attack. This is especially relevant for infrequently accessed sites as there is little chance they have previously been exposed but accessing your account before the site is fixed will greatly increase your risk.
What can we do to better protect ourselves?
a) Have different passwords across all websites / applications
b) Use 2 Factor authentication. This means installing either Google Authenticator, Microsoft Authenticator or a similar smartphone app. Instructions to setup can be easily found via Google. Lifehacker has a list of sites that are 2 factor capable. Googling “2 factor authentication ” and the website you want to protect will give plenty of advice.
bi) Will this solve everything? No.
bii) Will it make you a lot more secure? Yes.
biii) Do I use 2 factor? Most certainly and have for a while.
c) Change passwords every so often (But not too often that you start having to write them down or resort to using simple ones. Lastpass and similar services are very useful when used with strong master passwords and 2 factor authentication)
d) Make sure you have set up the account recovery options. Secondary email accounts, register your mobile number, setup facebook trusted contacts, security questions. All these things give you ways to recover your accounts IF they get hacked via this bug or any other.
e) Don’t panic Mr Mainwaring, read up and take precautions!
The BBC have a round up here and there is a fairly comprehensive overview of common services affected, (although slightly US focused), here: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/