Last Monday news broke that the Heartbleed bug was one of the biggest coding screw ups since the dawning of the Internet. Developers and sites have been taking the necessary measures to sop up the mess that is Heartbleed, but educating yourself on what this bug is is the first step towards your own safety.
The Heartbleed problem is an encryption problem.
When you submit information (e.g. passwords) to a website, that website will often use Open S.S.L. (Secure Sockets Layers) encryption to protect it. In fact, two-thirds of all the websites out there use S.S.L. encryption – which means you’ve probably relied on it, directly or indirectly. To everyone’s surprise except the N.S.A. (which knew about the bug for a while), Open S.S.L. has been operating with a major vulnerability in the form of a bug for two years now, a vulnerability that would allow tenacious and hardworking hackers access to all that “encrypted” data.
Heartbleed is not a virus.
Contrary to a lot of misinformation, Heartbleed is not a virus that spreads via executables. Rather, Heartbleed is a bug in Open S.S.L. code that can be accessed for the purpose of procuring encrypted information.
Heartbleed has claimed victims.
The Canadian Revenue Agency announced that 19-year-old Stephen Arthur Solis-Reyes got a hold of 900 of the country’s taxpayers’ profiles thanks to the Heartbleed bug; Yahoo was left twisting in the wind naked for 24 hours; Mumsnet, a popular parental guidance website in the UK, admitted its profiles had been rifled; and many other sites are running litmus tests to confirm or deny compromised files. This is not a victimless error.
Your Android device is also at risk.
An older version of Android (4.1.1.) is particularly vulnerable to attack because of its outdated code. If you happen to be using a smartphone with this version of Android, refrain from making information-sensitive transactions, monetary in nature or not, as your credit card and other personal data are still at risk. Google has released a patch for the code, but now manufacturers and carriers must update on their end, which could take some time.
Changing your passwords will protect you...to a degree.
Mashable has produced a list of sites that were strong candidates for Heartbleed exploitation. Many high-traffic sites have patched the hole in their Open S.S.L. code, in which case it would be safe to change your password there. However, other websites that have yet to do so are still vulnerable to invasion, and it may be futile to change your passwords (they can just get stolen again). It’s best to wait for a notification from sites you visit and apps you use stating their Open S.S.L. holes have been patched to start crafting new passwords.
You can’t be too vigilant.
Even if you changed your passwords (yes, you should have unique passwords for each site you visit), you should still be monitoring your online accounts for suspicious activity. Report any extraordinary transactions to the site’s customer service immediately to prevent fraud. Programs like LifeLock are really helpful in situations like these, as they will sense fishy movement on your account oftentimes before you do, and are actually quite affordable with a coupon.
You can’t be too apprehensive.
Attackers and digital bandits may now be employing a one-two punch tactic: that is, sending you fraudulent updates from your favorite sites giving you the “all-clear” when in fact they’re only tricking you into handing over new passwords. Be especially cautious when opening and complying to any notifications regarding Heartbleed, and read through all emails fully for validity.