Wednesday, April 9, 2014

HeartBleed: What you should know and what you should do right now!

If there are two things I can offer my non-technical/semi-technical friends about HeartBleed, it is:

  1. YOU need to take action to protect yourself and your family
  2. YOU need to strengthen how you manage passwords.
Oh GEEZE! I hear you saying, but DON'T stop here, I will make this simple for you.

First the overview: HeartBleed is a bug in popular internet software.  This bug allows anyone to access private information on internet servers you commonly use.  This "private information" is passwords and other security devices.


The most important part: this affects you whether you are a high school student, or have just one credit card, have shopped on amazon in the last two years, are a small business owner or even if you are a CEO of billion dollar company.  This is all because individuals are affected just as well as companies.

There is no easy way to tell what sites were affected. The bug has existed for two years and websites that were quick to respond may not be fully forthcoming to how they were affected.

That is, your bank may be affected, your email account (that can reset your bank account's information) may be affected.

The short of this is:

  • YOU are affected
  • YOU must take action
The problem is knowing what you should do and when should you do it.

What you need to do:

Change your passwords for all websites.

When should you change your passwords?

About Saturday April 26th.

Why not change a password now?  Because your site may still have this bug.  April 26th gives enough time for all servers to update their software.

What can you do in the mean time?

You can change your password right now but this isn't a complete solution because: to be safe, you should change your password again in two weeks (but it isn't a bad idea to change it both now and in two weeks).

You can and should watch your accounts for strange activity.

Take a look at the list of websites that are/are not vulnerable (heartbleed-sites).  This list won't help you understand if a site was vulnerable last week or last month (we just won't get that information).  You can also use  http://filippo.io/Heartbleed/ to test a webserver.

But, again, you can't trust that a specific server was not vulnerable last week or last year, so your best bet is to just change all your passwords.

If changing your password is a pain for you: you need to fix how you manage passwords. THIS IS IMPORTANT, because this is something you will have to do again within the next few years (this will happen again) and you will have to teach your kids how to do this correctly, just like teaching them how to manage money and a bank account.


Find a password manager for your smartphone and/or desktop -- back those passwords up so that you can recover the information if there is a catastrophic failure.

I happen to use Keeper (https://keepersecurity.com/) for my iPhone.   It works and I don't find it terribly difficult, although backups do cost money.  I've found it easier to just pay them than to try and find a different/free product I trust.

To sum up:


  • Change all your passwords on or about April 26th for all sites -- even the ones that are not marked vulnerable and even those that you just used once in the last two years
  • Get a password manager and use it
  • Backup your passwords
  • Don't use the same password on different sites -- come on!
  • Teach your kids like you teach them to use safety belts