Heartbleed For Dummies
Heartbleed is an Internet security vulnerability that was discovered in early April 2014. The flaw affects major websites, such as Google and Yahoo!; Dropbox and other sites that could contain personal information, such as banking or credit data; and e-mail. This Cheat Sheet contains practical information for end users, rather than detailed technical information for information technology (IT) departments and systems administrators.
What Is the Heartbleed Computer Bug?
The Heartbleed vulnerability, sometimes mistakenly called the Heartbleed virus and officially known in the U.S. as CVE-2014-0160, is found in OpenSSL versions 1.0.1 through 1.0.1f, which contain a flaw in the TLS/DTLS (Datagram Transport Layer Security) heartbeat functionality.
The Heartbleed bug allows an attacker to exploit the heartbeat functionality of OpenSSL by sending a malformed heartbeat request to a vulnerable server. The server responds with random 64 kilobyte blocks of data from the server's memory that may be completely useless to the attacker — or it may contain individual user names and passwords, security certificates, cryptography keys, and other sensitive data.
Heartbleed isn't a virus. Heartbleed is a bug that has existed in specific versions of the OpenSSL protocol for more than two years. It is NOT some new virus or spyware that is "slowing your computer down." For most end users, you don't need to install any new software or scan your computer for an infection. And don't bother forwarding the inevitable e-mail warning from your mother (which she received from "Microsoft") that foretells doom and gloom because of the "Heartbleed Virus"!
Heartbleed affects up to two-thirds of all Internet websites. Industry analysts estimate that as many as two-thirds of all Internet websites may be running vulnerable versions of OpenSSL. Popular websites that have been affected by Heartbleed include Google, Facebook, DropBox, and Yahoo Mail.
Understand the 'S' in 'HTTPS'. Although Heartbleed affects much more than just web servers, for end users it's important to know what types of websites may be affected. E-commerce shopping websites, financial institutions, Internet e-mail, and social media — basically any website that requires you to login with a username and password — are all potentially vulnerable. These websites typically have an address that begins with HTTPS — ironically, the 'S' stands for 'Secure'.
Heartbleed is going to slow things down for a while. Heartbleed is causing a frenzy of activity on the Internet. Service providers are busy updating their servers, revoking and re-issuing security certificates, investigating potential data privacy breaches, and communicating with their customers and patrons. Additionally, millions of users (like you) are diligently changing their passwords on the various sites that they frequent. All of this activity means web browsing is going to be a little slower until the dust settles on Heartbleed.
Your Android's heart bleeds too! Version 4.1.1 of Android Jelly Bean is vulnerable to the Heartbleed bug. This means sensitive data on Android smartphones and tablets may be at risk. Google is releasing a fix, but not all devices are compatible with the fix. Devices that cannot be upgraded beyond 4.1.1 and thus remain vulnerable to the Heartbleed bug, as of this writing, include
Asus PadFone 2
HTC One S
Huawei Ascend Y300
Sony Xperia E
Mobile apps may also be vulnerable. According to Trend Micro, as many as 6,000 mobile apps — regardless of the mobile operating system (meaning apps available from App Store, Google Play, and others) — may be affected by Heartbleed. These apps use OpenSSL on the server backends rather than the mobile device itself, so there's no way for an end user to tell if a particular app on their device is vulnerable.
How to Protect Your Computer against the Heartbleed Bug
The Heartbleed computer bug is really, really bad! Fortunately, a Heartbleed security breach reveals random bits of data to an attacker in small, 64 kilobyte chunks. That makes it particularly difficult to target a specific individual. Most cybercriminals like to operate in the shadows and would prefer to steal one dollar from ten million unsuspecting individuals, rather than a thousand dollars from a few individuals. Still, you can't afford to be complacent.
Here's what you need to do now to protect yourself.
Stay informed. There are literally millions of websites, corporate systems and applications, and mobile apps that are potentially affected by the Heartbleed bug. Make a list of the different shopping, banking, social media and other "secure" websites that you visit (even infrequently) and track their progress toward patching their website against the Heartbleed vulnerability.
Inevitably, different websites will have their own timelines for patching and will also have different policies on how, or if, they communicate their status to their patrons and the general public.
Update your mobile devices. If you have an Android smartphone or tablet, ensure your device is compatible and update the software as soon as possible after the update is released. Also, install any available updates to your mobile apps.
Change your passwords after the fix is installed. You need to change your passwords as soon as possible. However, don't change passwords on websites or in applications that haven't yet been patched. If you aren't sure about the status of a website or application, don't change your password yet.
You should also change all of your passwords – even for websites and applications that aren't affected by the Heartbleed bug. If an attacker does find one of your passwords on an affected website and decides to target you specifically, it doesn't take much social engineering to find your other "non-affected" website accounts.
If you're like most people, you've probably reused some or all of your passwords on different sites. Your new password needs to be very different from your old passwords. Don't just change a couple of letters or numbers in your passwords – it'll be easy for an attacker to guess what changes you made.
Although different applications and websites have different password requirements, some password best practices include:
Use passwords with 7 or more characters
Use a combination of upper and lower case letters, numbers, and special characters (such as $, #, &, or %)
Don't include personal information in your password such as your spouse's name, your street address, or your birthday
When possible, use a nonsense phrase that you can easily remember
Watch for suspicious activity. Closely monitor your online accounts for any suspicious activity. Check your Internet e-mail "Sent Items" for possible spam being sent from your account, watch for unknown transactions in your bank or credit card accounts (even very small amounts – remember, a cybercriminal is more likely to steal small amounts to go unnoticed for as long as possible).
You should also monitor your credit report to ensure no one is opening new accounts in your name, and consider using an identity theft protection service.
Look out for scams and copycats. There inevitably will be scam artists and copycats looking to make some money from the Heartbleed bug. Look out for television commercials and online ads that offer to scan your computer for the vulnerability and "protect" you.
Spam and phishing e-mails are also likely to be more convincing if they appear to be coming from legitimate financial institutions that you do online business with. If you're in doubt about an e-mail communication you receive, contact your financial institution directly via phone or in person.