NORTH FULTON, Ga. – Anyone with a computer has probably heard or seen information about the newest threat to cyber security, “Heartbleed.” Fortunately, there are solutions already out there, but users still must act to protect themselves by changing their passwords.
“This is the largest server-side security flaw we have ever seen,” said Tyler Jones, of Carmichael Consulting Solutions. “What makes it unique is that, unlike most security threats in IT, there is nothing you can do on the client side.”
That means the user cannot fix the problem – but the user can protect himself. Typically, when there is an issue, patches or fixes can be applied by the user to fix the issue. However, since this problem is built into the code of the very servers the Internet is built upon, it is up to the companies we do business with to address it.
The flaw affects the coding called “Open SSL.” Whenever a user logs onto a secure website, a lock icon or green bar appears to indicate security. This is the Open SSL part. Two-thirds of the Internet uses this security program. Heartbleed allows someone to read small snippets of information on the servers in plain text rather than encrypted code, Jones said.
Usernames, passwords, security questions and more could be compromised. And given the ubiquity of the Open SSL and the nature of the problem, websites could have been targeted for years and never know it.
“There is no way to ever tell they have been compromised, if at all,” Jones said.
Anything with a password – banks, Yahoo, Google, Netflix and Dropbox – is affected by the exploit. However, PIN numbers for debit cards are not affected.
A fix was released April 7 and many websites have already implemented this, while others are in the process of doing so. However, the damage to any particular user may already have been done.
The best thing consumers can do is check with their websites to ensure the issue has been solved, and then change their passwords, Jones said.
What you can do to safeguard against Heartbleed
Heartbleed is a “backdoor” entry to encrypted files that could allow hackers to access secured information on a server, including user names and passwords. What this means for you is that banking websites, application websites and others could be at risk. Here is what Tyler Jones of Carmichael Consulting suggests you do:
•Immediately change your passwords for any of the sites that we already know have been attacked. These include, but are not limited to, Yahoo, Flickr and Tumblr.
•It is strongly recommended that you change your passwords for sites that may have been vulnerable but are now patched. These include Dropbox, Facebook, Google, Clio, Instagram, Netflix, Pinterest, YouTube and others.
•If you are unsure about a website, the site should have a statement posted somewhere about their current security status. If they have patched their software, go ahead and change your password. If they have not yet secured their site, you can change your password now if you want, but you will have to do it again once they secure their site.
Remember, a good password is a minimum of eight characters long, has letters, numbers and special characters (like @, #, %, !) and is unique to each site. Do not re-use passwords.