on heartbleed…

heartbleedSo… Heartbleed.

Right. *SIGH* I covered a bit of this on social media (Facebook and Twitter) last week and it was all over the news, so I didn’t write here before today. I do feel some sort of overview a week on may be useful for someone.

What happened last week? It was disclosed that there was a big bug in the very popular open source software, Open SSL, that is used to encrypt a large portion of world’s website traffic.

When this bug is exploited it means that someone would be able to see unencrypted traffic in the memory of the systems using this vulnerable version.

What does that mean? The webcomic xkcd explains clearly:

All that text? You shouldn’t be able to read it like a novel.

So what should you do today?

Change your passwords for the sites that state either they are unaffected or they are no longer vulnerable and use two-step authentication whenever possible. If you went ahead last week and changed all your passwords on Monday, review which sites are now patched and change those passwords again. Don’t use the same password everywhere. But I’ve said that for a long time (see also Digital Credibility and Phishing, Part IV — Passwords. Monitor your financial statements and report any suspicious activity.

But wait, why didn’t alarm bells go off and say sites were compromised?

Because we don’t know. Really. We don’t. The nature of the bug means there’s no tell tale trace of access. From heartbleed.com: Exploitation of this bug leaves no traces of anything abnormal happening to the logs.

Want to learn more?