Right. *SIGH* I covered a bit of this on social media (Facebook and Twitter) last week and it was all over the news, so I didn’t write here before today. I do feel some sort of overview a week on may be useful for someone.
What happened last week? It was disclosed that there was a big bug in the very popular open source software, Open SSL, that is used to encrypt a large portion of world’s website traffic.
When this bug is exploited it means that someone would be able to see unencrypted traffic in the memory of the systems using this vulnerable version.
What does that mean? The webcomic xkcd explains clearly:
All that text? You shouldn’t be able to read it like a novel.
So what should you do today?
Change your passwords for the sites that state either they are unaffected or they are no longer vulnerable and use two-step authentication whenever possible. If you went ahead last week and changed all your passwords on Monday, review which sites are now patched and change those passwords again. Don’t use the same password everywhere. But I’ve said that for a long time (see also Digital Credibility and Phishing, Part IV — Passwords. Monitor your financial statements and report any suspicious activity.
But wait, why didn’t alarm bells go off and say sites were compromised?
Because we don’t know. Really. We don’t. The nature of the bug means there’s no tell tale trace of access. From heartbleed.com: Exploitation of this bug leaves no traces of anything abnormal happening to the logs.
Want to learn more?
- Mashable has a list of sites that were affected
- The Atlantic had a few articles on it, while information has been updated in the later articles, The 5 Things To Do About the New Heartbleed Bug is a good place to start.
- 7 Heartbleed Myths Debunked by readWrite
- Everything you need to know about the Heartbleed SSL bug by Troy Hunt