« Back to Resources

What You Should Know About the Heartbleed Bug

By now, you have most likely heard about the Heartbleed bug. Many of the websites you visit for your personal use or for your business are vulnerable to hacking, according a security flaw in OpenSSL, now dubbed as the Heartbleed bug. This highly dangerous bug has added an element of security vulnerability to high-traffic sites like Facebook and YouTube.

In fact, it is such a hot topic that Finnish security firm Codenomicon has set up a Heartbleed website dedicated to updated information, tips, and suggestions pertaining to this bug. If you are responsible for the servers at your company or you run your own small business, you should be fully aware of what this bug does and how to protect your business.

What is Heartbleed?

Heartbleed is a dangerous security bug that can access an OpenSSL library and extract sensitive information from users on that website. While it was not made public until early April when there was a new, fixed version of OpenSSL, the dangers from Heartbleed began near the beginning of 2014.

Approximately 17 percent of users who accessed web servers that were supposed to be safe were vulnerable, leading to the possibility of stolen passwords and identity theft. Since then, websites have been working hard to install a patch to ensure that their sites or ecommerce stores are no longer vulnerable to this bug.

Potential dangers from the bug include theft of credit card numbers and bank account information and the display of personal Internet information for everyone to see.

What is at Risk?

The four main types of data that were at risk included encryption keys; protected content such as instant messages and emails, usernames and passwords; and data and code that was used for creating functional websites. Some of the more popular sites that were affected by Heartbleed included Dropbox, Gmail, and Twitter, according to an infographic published by LWG Consulting.

Should I Change Passwords?

There are varying opinions on whether or not passwords need to be changed at this point, though the general consensus is that for websites that were vulnerable to the bug, it’s recommended that you change your password after the bug vulnerabilities have been fixed.

Reuters reported that anyone who signed up for health insurance under Obamacare is urged to change log-in information. Other reports say that at this point, most of the damage has been done, though since changing your password takes only a minute or two, it is worth it if you haven’t done so recently.

How Do I Protect My Business?

The Defense Department has provided some helpful tips to protect against security vulnerability from the Heartbleed bug. The federal department recommends starting with your personal and business banking accounts and finding out if their online software has been fixed. It recommends changing your password after it has been fixed. Changing it beforehand is considered useless, because you’ll remain vulnerable to the bug until the site has made security fixes. Try to refrain from logging in and changing your password on any site that has not fixed the bug yet. The Defense Department also warns against phishing emails, reminding you to never click on a link in an email; instead, navigate to the website on your own in a different tab.

Sites like LastPass and McAfee have set up free tools to check the vulnerability of websites to the Heartbleed bug. Qualys SSL provides yet another server tool checker.

Additionally, Cnet has provided a helpful list of sites and password recommendations for consumers and businesses.

When is it Going to be Fixed?

Many site administrators are working on fixing their servers, and you should be doing the same. Test your servers and make sure they are no longer vulnerable. Once you know they are safe from Heartbleed, let your visitors know. Some websites are providing a helpful popup that alerts visitors to their Heartbleed status.

With these simple tips, you can protect your personal and business information from falling prey to the bug and help protect your consumers and visitors as well.