Heartbleed security bug: What does this mean for you?
As if the end of support for Windows XP wasn't enough of a technology headache for one week, a newly discovered security bug named Heartbleed is causing people and businesses to worry about their online security.
A Google researcher and an independent Finnish security firm discovered the bug in a type of software called OpenSSL, which is used by approximately two-thirds of servers to encrypt sensitive information. Even though the issue was discovered last week, the problem has been in place since March 2012.
The name of the bug stems from its exploitation of the security protocol's "heartbeat" extension, which keeps the connection between the client and server alive. The bug then can decrypt small "packets" of information that pass through the server and allow viewing by a third party.
What Does This Mean For You?
The Heartbleed bug could allow hackers and other ne'er-do-wells to access information on servers that should be encrypted. In theory, information passing through a very large number of websites could be vulnerable, including emails, instant messages, documents, passwords and credit card information. No one is really sure at this point how long, or even if, hackers have been accessing information on affected servers.
The Fix is Simple, But Not
Fixing the Heartbleed vulnerability is easy, but it isn't exactly simple. First, the websites hosted on servers infected by the Heartbleed bug need to be updated to patch the vulnerability. The patch will prevent hackers from accessing any new data passing through the server, but it won't prevent hackers from using the information they already possess. In order to prevent further issues, you need to change your password for any affected sites as well.
Don't Change Your Passwords Yet
While your first instinct might be to immediately change all of your passwords, its not a good idea yet. After all, changing a password for site hosted on an infected server still serves up your information to anyone illegally accessing the server's information. Once the problem is patched, then you should change your password. Alternatively, you will probably receive an email from any affected websites informing you that the vulnerability has been patched and requesting (or in some cases requiring) you to change your password.
Increasing Your Security
First, change the passwords on any sites that have been updated to patch the Heartbleed bug vulnerability.
Second, resist the temptation to use the same password for every site. In fact, its best if you have different passwords for each and every site you use.
Third, rather than trying to remember dozens of different passwords, use a password manager. A password manager can not only remember and autofill your passwords for every website you use, it can also generate unique and extremely strong passwords for you.
Finally, if a website, like Google, allows you to use a "two-step" sign-in process, you should opt-in. Two-step sign in processes are, as you might guess, much stronger than the traditional log-in methods used by many sights.
So now that you know Heartbleed exists and what it can do, try not to panic. It certainly isn't the end of the world. Just take the suggested security precautions and change your passwords once the vulnerability is removed. Additionally, you may want to keep an eye on bank accounts and any websites that contain any sensitive information.