I’m sure many of you have heard the news lately about the “Heartbleed Bug”, and I’m sure some of you are asking, “What is this thing? Will it affect me? What can I do?” And so on.
Okay, let’s look at what is being said by the media. Below is a typical example:
“The Heartbleed Bug is a serious vulnerability in the popular Open SSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the Open SSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
See the complete article at: www.heartbleed.com
Now that you’re eyes have glazed over and your head is spinning, let me break this down:
This bug is a glitch in a secured aspect of web communication called SSL, (short for “Secure Socket Layer”). In essence, what it does is take any information that you send over the internet and encrypt it so no one can read it. The encrypted information is broken into small fragments called “packets”, and those packets are then sent over the web – not necessarily along the same routes – and reassembled at the destination so the system at the other end can decrypt and “read” it. This system of encryption is a fundamental part of many secure networks, or secure methods of remote accessing, (working from home), a specific network.
If you’ve ever been on a website with an address that begins with “https” header, (https://www.localbank.com), the “https” indicates that it is a secure site. Unsecured sites will use a simple “http:” header.
According to the news media, this vulnerability has been around for years! As of April 9, 2014, it was reported that a patch (fix) had been implemented and that the issue was being corrected. Essentially, this back door has been closed.
The one thing I do want to point out is that Open SSL is the most popular version of this software in use – not the only one! There are other encrypting software packages used out there, so there is a chance that your information was never at risk to begin with.
At this point, however, it is safe to assume that the issue has been resolved.
So, now that the issue has been addressed, what should YOU do to guarantee your personal information wasn't compromised?
Security specialists will tell you that it is a good idea to change passwords on a regular basis. The accepted practice is to change them three or four times a year. As one expert put it, “you aren’t carrying launch codes, so more frequent changes aren’t that crucial”.
With all of this hubbub about Heartbleed, I thought it would be a good time to review a few good password practices.
Take a moment and think about all the sites you are required to log into. Bank, social media, gaming, email, discussion boards, school networks, the list goes on. On average, a typical individual will log into twelve secure sites on a regular basis. Does that mean a person should memorize twelve different passwords? Heck no. Here are some tips in creating good password security:
Okay, let’s look at what is being said by the media. Below is a typical example:
“The Heartbleed Bug is a serious vulnerability in the popular Open SSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the Open SSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
See the complete article at: www.heartbleed.com
Now that you’re eyes have glazed over and your head is spinning, let me break this down:
This bug is a glitch in a secured aspect of web communication called SSL, (short for “Secure Socket Layer”). In essence, what it does is take any information that you send over the internet and encrypt it so no one can read it. The encrypted information is broken into small fragments called “packets”, and those packets are then sent over the web – not necessarily along the same routes – and reassembled at the destination so the system at the other end can decrypt and “read” it. This system of encryption is a fundamental part of many secure networks, or secure methods of remote accessing, (working from home), a specific network.
If you’ve ever been on a website with an address that begins with “https” header, (https://www.localbank.com), the “https” indicates that it is a secure site. Unsecured sites will use a simple “http:” header.
According to the news media, this vulnerability has been around for years! As of April 9, 2014, it was reported that a patch (fix) had been implemented and that the issue was being corrected. Essentially, this back door has been closed.
The one thing I do want to point out is that Open SSL is the most popular version of this software in use – not the only one! There are other encrypting software packages used out there, so there is a chance that your information was never at risk to begin with.
At this point, however, it is safe to assume that the issue has been resolved.
So, now that the issue has been addressed, what should YOU do to guarantee your personal information wasn't compromised?
Security specialists will tell you that it is a good idea to change passwords on a regular basis. The accepted practice is to change them three or four times a year. As one expert put it, “you aren’t carrying launch codes, so more frequent changes aren’t that crucial”.
With all of this hubbub about Heartbleed, I thought it would be a good time to review a few good password practices.
Take a moment and think about all the sites you are required to log into. Bank, social media, gaming, email, discussion boards, school networks, the list goes on. On average, a typical individual will log into twelve secure sites on a regular basis. Does that mean a person should memorize twelve different passwords? Heck no. Here are some tips in creating good password security:
- Most sites may assign a password to a user on a temporary basis, but the profile information will almost always have an option to change that password. Take advantage of that option and change passwords to something that you can remember.
- Divide your web use into three levels of security, and then have a password for each level. High security things use one password, medium security gets a second password, and low security things use a third password. That way, your Facebook password isn’t also your bank account password.
- Be creative: Most people generate a password based on their lives, (kids’ birthday, anniversary, favorite team, car, vacation spot, etc.). If a person knows you well enough, they can usually figure out your password. In fact, the authorities have people who specialize in doing that. Make the password something totally out of character for you. My personal favorite example of this is from the television show Babylon 5. The head security chief was a tough talking badass, but his access code was “peekaboo”. Think about it…
- Keyboards have all these nifty buttons, don’t just use the letters.
Look at these two passwords and tell me which one would be more difficult to crack:
password !P@$$w0rd!
Many secure sites require the use of special characters anyway – make this a practice for all your passwords. - Change them on occasion: No matter how creative you get, it’s still a good idea to periodically switch things up. Change your passwords three or four times a year.
- This should be a no brainer, but people still do it: DON’T write your passwords down, don’t save them on a word document, (see my newsletter, “You set it out where?”), and don’t share your passwords with anyone. Also, remember that no reputable company will ever ask a user for their password. If they work there, they will have procedures in place to access your information and resolve your issue. Far too many people get scammed into giving someone access to their information and pay the price later.