Heartbleed / CVE-2014-0160

Let’s talk about something that affects you. It’s called CVE-2014-0160. You probably know it by Heartbleed. It is a security problem which affects at least 60% of the Web, including Facebook. Here’s how Heartbleed works.

While sysadmins panic (which did include me for a short time), here’s what you should do:

When you receive communication from an affected Website saying that they have fixed the problem, change your password on that site immediately. If they only acknowledge the problem exists but don’t mention a fix, do not change your password: their site is still vulnerable. If a few weeks pass with no confirmation the problem was fixed, you should change your password anyway.

Going forward, keep an eye on your financial statements for fraudulent activity and use unique passwords for every account. (Here’s why: if a vulnerability appears on site A but not site B, it won’t compromise your account on site B since they only have your personal information from site A.)

You can keep track of your passwords, and generate more secure passwords, using password tools like LastPass. If you want to control where your encrypted passwords are, you can use 1Password or KeePass. You can also use a notebook or special password journal (any office supplier will have either).

Whichever option you choose, make sure you keep your passwords somewhere safe and keep a copy outside your home in case of disaster. A safe deposit box or trusted friend/relative’s house, depending on your level of trust/paranoia, are both good options for most people.

Oh, and a report from Bloomberg says the NSA has known about this vulnerability for years and has exploited the bug. Articles with other commentaries and statements from the NSA (dishonestly) denying their exploitation of Heartbleed are available on MSN, CNET, and The Huffington Post.

For more information about Heartbleed, go to Heartbleed.com, or for more technical information visit Heartbleed’s entry in the Common Vulnerabilities and Exposures database, maintained by The MITRE Corporation.

Leave a Reply

Your email address will not be published. Required fields are marked *