What you need to do about Heartbleed

The Heartbleed bug has affected about two-thirds of the world's websites

The Heartbleed bug is big trouble and it's affected about two-thirds of the world's websites.

That means virtually everyone should be taking steps to protect themselves, starting first by updating passwords for important online sites.

See related story: Website admins will be busy dealing with Heartbleed

"It's like this is a huge Internet reset," said Steve Sundermeier, founder of Thirtyseven4.com, an Ohio-based security company. "It's pretty alarming. Users who thought they were doing the right thing now aren't secure. Everybody is kind of in the dark as to who actually was affected and vulnerable."

Security experts are still piecing together how much damage has been caused, or can be caused, by the Heartbleed flaw.

The vulnerability existed in OpenSSL, one of the Internet's most widely used encryption software packages, for about two years. It's not clear whether cyber criminals discovered the bug, which exposes users' most private, and trusted, communications - emails, banking transactions, credit card numbers and health records - to risk.

When users see the little padlock symbol in the corner of their screen, they generally think their communications are safe since they're generally protected by SSL encryption. But for the last two years, that wasn't the case.

Heartbleed, so named because it affects an SSL extension software programmers call Heartbeat, affects anywhere from half a million to a billion websites, depending on which security analyst you talk to. And it's not just websites that have been affected.

Steve Pate, chief architect with HyTrust Inc., a California-based security and compliance company, noted that the vulnerability also has affected a variety of devices, ranging from smartphones to home routers, tablets and laptops.

Many of those devices came installed with software that used the buggy Open SSL.

The biggest concern is not just that the bug is so widespread but that it affects the information users are most concerned about protecting.

"Open SSL is relied on by so many sites," said Chester Wisniewski, senior security advisor with Sophos, a security company based in the U.K. " It's what we rely upon for privacy and security, so it's the last thing you want to see made vulnerable. What does this affect? Everything. This is really messy."

Various tools have popped up to help people figure out whether their favorite online retailer, bank or social network is vulnerable, but they tend to only note if they're currently vulnerable. The tools do little to detail whether a site was vulnerable in the past.

If a site was vulnerable at any point, user names, passwords and other critical information may have been compromised.

Google, which owns the most-visited websites in the world, told Computerworld that it had been vulnerable, but its software has been patched and the sits are safe now.

A spokesman for Facebook, the world's largest social network with more than a billion users, also acknowledged that it was affected by the vulnerability, but has since fixed the problem. Yahoo, too, said its platform was vulnerable to Heartbleed but noted yesterday that it started workingto fix the problem as soon as it found out about it.

"We added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed, and we're continuing to monitor the situation closely," the spokesman said. "We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites."

1 2 Page
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies