August 2, 2015

Five Things to Know About Heartbleed

heartbleedThe news media has been abuzz with talk of the Heartbleed bug, a recently discovered vulnerability to commonly used security software. Here are answers to some common questions about Heartbleed.

1. What is Heartbleed?

Heartbleed is a vulnerability to OpenSSL, a widely used encryption program. The vulnerability was inadvertently created while trying to fix a different bug. Although the Heartbleed vulnerability has been present in OpenSSL for two years, it was only recently discovered. The vulnerability created by Heartbleed could allow hackers to steal passwords, credit card data, or Social Security numbers from websites, home routers, smartphones running older Android operating systems, and other web-connected devices.

2. Which websites were affected?

Many commonly used websites use OpenSSL, including Facebook, Google, Gmail, YouTube, Yahoo, and Wikipedia. A website called LastPass has a handy Heartbleed checker, where you can enter a URL and see if it is vulnerable or safe. Another website, Mashable, created a “Heartbleed Hit-List” compiling vulnerability info for many sites.

3. Which websites were not affected?

Fortunately, most banking websites use more stringent security measures, so they were not affected by Heartbleed. Websites that were not affected include Amazon, AOL, Bank of America, Chase, LinkedIn, Hotmail, Outlook, PayPal, U.S. Bank, and Wells Fargo, among others. The CBA and CLE websites also were not compromised; neither uses OpenSSL.

4. What can I do to protect my information?

Most of the affected websites have issued patches by now. If the website was not vulnerable, you do not need to do anything (except keep up with regular password changes). If the website was vulnerable but has now been patched, change your password immediately. Secure passwords contain combinations of letters, numbers, and special characters, and should not be names, birthdates, or any other easily discoverable information. It is advisable to use different passwords for each website you frequent; websites like LastPass can help you keep track of these as well.

5. What about confidential client information?

Hopefully, most confidential client information would not have been vulnerable to Heartbleed. Aaron Street of The Lawyerist wrote a great article called “Heartbleed: What Lawyers and Law Firms Need to Know” that explains why client information is probably not susceptible. He also addresses the important question of safety in the cloud, particularly after Heartbleed and the Target data breach last fall.

As technology advances and its use becomes more widespread, safety breaches like Heartbleed will become more common. Heartbleed is a reminder that internet safety is important for everyone.

Speak Your Mind

*