I spent a few hours today just getting up to speed on the Heartbleed issue, and I decided it was clearly more important to blog about it, rather than my usual commentary. I was pleased to find that one of my favorite sites for entertainment managed to show a very succinct explanation about the issue:
The important stuff:
CHECKING & FIXING VULNERABILITY
Here is a website listing popular domain names that are vulnerable: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Obviously, this list is not exhaustive. The article is 4 days old (as of this post date). Basically, every company is actively checking their sites for vulnerability or creating or has created patches to fix it. The thing is, even if they have already fixed it (usually they’ll say so on their site), it may have been vulnerable previously and your account could have already been compromised. This is more likely if you log on to that website regularly.
Here is my suggestion:
Check the Mashable list above to see if the site you’re checking is indicated as vulnerable; prioritize changing the password for this first.
For sites that are NOT on the list above, go to:
Type in each company’s domain name you want to check. The bottom of the page should tell you if the site is (still) vulnerable. Unfortunately, Filippo, SSL Labs and Mashable are not coordinated so some sites may report conflicting results. I would say SSL Labs is the most accurate and up-to-date.
Finally, go to the company’s website itself and confirm what the status is regarding their security measures for Heartbleed (as they ought to be the most up to date!). They may say they were never vulnerable (best scenario) or that they were vulnerable but have resolved it or are in the process of doing so.
In general, the most foolproof way to deal with Heartbleed is to change ALL your passwords (ugh, I know). However, note that the password change is irrelevant if the company hasn’t deployed their patches, as you’ll probably have to do it again. Basically, if they are still working on it, wait until they give the OK to change your password. I would prioritize the sites with the most sensitive information and the sites that you log on to most often. (This includes sites where you have the site “Remember you”). The more popular sites will probably be the most tempting for hackers to check/test stolen usernames and passwords.
Some common online services that will need new passwords:
- Banking / Investments / Insurance
- Credit cards / Loan accounts
- Accounting / Tax services
- Shopping cart / payment sites
- Government sites
- Primary shopping sites (Amazon, Ebay, etc.)
- CRM, contact management, communication services
- Your primary social media
- Web hosting (if your WordPress site is through here, this is what matters)
- Wordpress (if hosted by WordPress)
- Security software, digital signature services, password management
- Cloud storage / backup
- Utilities / cell phone
- Mobile phone applications (UPDATE: See apps for detecting vulnerability on mobile devices here)
- Job search sites, contractor sites
- Forums, newsgroups, training/membership sites
- Entertainment / magazines / music / video
- Other recurring / ongoing online services/subscriptions
- PARENTS! Remember to deal with your kids’ accounts!
GETTING A PASSWORD MANAGER
While this whole Heartbleed fiasco is inconvenient, to say the least, my husband astutely commented that I take this opportunity to improve my systems regarding password security, for my clients and myself. (He’s handy, in many ways). It’s that whole thing about the Chinese character for “crisis” actually meaning “danger” + “opportunity” (which is a misinterpretation, btw). While, I preach systems improvement everyday and even dream about it, it’s good to be reminded to actually take such crises as an opportunity to grow/learn.
If you’re dreading the pain of having to create and remember a whole new plethora (I just like the word) of passwords, I highly recommend getting a password manager service. If you’re not dreading it, you should get one anyway.
If you don’t have one already, the Mashable site above listed 3 password management services. While there are definitely similar services (like SplashID), the fact that these companies were so responsive to the issue and had already addressed it, indicated to me that these guys were “on the ball.” I would recommend checking out this review site before you make your choice:
What systems are you using to handle password management? What other systems do you / should you have to protect you, your family and your business?
I also recommend reading these articles: