What you need to do about Heartbleed

The Heartbleed bug has affected about two-thirds of the world's websites

1 2 Page 2
Page 2 of 2

Twitter, one of the top social networks and communication tools, reported that it was not affected.

So, what do companies and individuals need to do? The advice from nearly every security expert is to start updating passwords.

If anyone has shopped online, filled out their child's school forms online, done online banking or shared healthcare information online, they may be vulnerable.

The bigger issue is that many people use the same password for multiple accounts. For instance, they might use the same password to get into their Facebook account as they do for the company email or an online banking site.

That means if a cybercriminal has one password for someone, he might be able to use it to access multiple sites.

Change your passwords for each of your online accounts. And make sure each one is a strong, unique password, using at least six to eight characters, numbers and symbols.

"People typically have one or two passwords for everything, whether it's a social network or online banking or logging into their kids school network," said Sundermeier. "I do recommend that everyone starts changing their passwords. Nobody knows the extent of what was stolen. It's good practice to change your passwords every six months anyway. This is a very good time to implement this golden rule of safe computing."

Wisniewski noted that people need to check out the websites they use and make sure they've patched any vulnerabilities. If they change their password before the site is patched, they're still vulnerable.

To check a sites, several different tools are available, including the Heartbleed test, or this one from Qualy. The Chrome browser also has a plugin designed to alert users if they attempt to go to a vulnerable site.

Wisniewski advised people to change passwords for their 10 most critical websites, such as banking sites, credit card accounts, retirement or investment accounts, Facebook and Twitter.

Because the vulnerability has been around for a couple of years, people should be diligent over the next year, checking their credit card and banking statements for unusual activity. They also should monitor their email activity to see if they blasted out spam to their contacts, while also monitoring their social networks for rogue posts.

Enterprises should be immediately auditing their systems to figure out if any need to be patched and check to see if systems that deal with employee passwords are vulnerable because they use Open SSL.

Companies also should be telling employees to change their passwords - both work-related and personal -- while also making sure that each password is unique. And to ensure that employees actually follow through, companies should push out a forced password change.

Companies likely want to focus first on remote employees who establish connections through a VPN.

Even if an enterprise's own site is safe, employees should still change their passwords because they may have been affected by visiting other sites.

Sharon Gaudin covers the Internet and Web 2.0, emerging technologies, and desktop and laptop chips for Computerworld. Follow Sharon on Twitter at  @sgaudin, on Google+ or subscribe to Sharon's RSS feed . Her email address is sgaudin@computerworld.com.

See more by Sharon Gaudin on Computerworld.com.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
  
Shop Tech Products at Amazon