You have heard about it on the news. People in your office are mentioning it. But lets face it, Heartbleed isn’t making a lot of sense to most people. Writing about something as technical as a code vulnerability in an openSSL standard in a way that most people can understand is difficult. Hopefully I can provide a little clarity to some of you without getting lost in the weeds.
First, lets start here. If you want to read some great technical writing about Heartbleed give it a try. GigaOm has it covered.
For those of you who want the 10,000 foot view of the problem; along with a list of solutions to what you can do to fix it; I will do what I can. Lets start by saying that if you have used the internet in the past 2 years, and if you have any web accounts (banking, facebook, email, whatever), you have been part of the vulnerability. Servers need to talk to each other. OpenSSL was writen as a secure way for this to happen. Heartbleed is a vulnerability in that standard that can lead to sensitive information being passed between servers by accident. Think of it like this: Did you ever play Marco/Pollo in the pool? Pretend 2 servers are doing that. One calls out “Marco” the other answers “Pollo” over and over. This is a way for each server to know where the other is located and verify that server is still online. Heartbleed would be like a server yelling “Marco” and another replying “Pollo and oh by the way, here is Johnny’s password and Jannie’s credit card number”. Think of it as internet Tourettes Syndrom. Got it? Good. Lets move on.
What fo you need to do to fix the problem? Well the first thing is do not panic. Stop with your ranting about how insecure the internet is and how your never using it again. Don’t be a rube. 90% of identity theft still occurs in person. Ecommerce is still the most secure transaction you can participate in today. If you are reacting like a crazy person, stop reading right here as the rest of this is above your pay grade. Second, realize that this is an easy fix. You need to do 2 things and only 2 things. First, as you go to your differing web accounts verify that the openSSL vulnerability has been patched. You can find this info pretty easily on the company main page, trust me, everyone is looking for it. If it HAS NOT been fixed, do nothing until it has. Don’t log in. Don’t use it. Consider contacting the site and asking when the hole will be patched. If it HAS been fixed, simply log in and change your password. Thats it. Your finished. Safe and sound. Now a word about passwords.
The reason this is such an issue is because of your passwords.The vast majority of you use symplistic and easy to guess words, names and phrases. Look at this list of the most popular passwords. Add this to the ability to social engineer things like childrens names and aniversaries, and most people are completely vulnerable. I know it is difficult, but it is imperitive that you use a different password for each site using a minimum of 12 charecters; a mix of upper and lower case letters, symbols and numbers. The easiest way to do this is to invest in software like Last Pass or 1Password (this is the service I swear by). The software stores your passwords locally and securly. It also generates passwords you can use on any site. Plus they include browser extentions that prefill your log in and password for you. It is worth looking into. You can never be too safe.
Remember that the vulnerability from Heartbleed is based on human error in the code. The good news was that it was hiding in plain sight the entire time. It does not look like it was exploited on any major level. This kid of thing happens. But if you are diligent you can mitigate the damage. Take the time and develop iron clad passwords. Use 2 factor authentication when available. Anything to help secure the process. The internet is a great thing if you take the time to understand how it works.