How to Protect Your Computer against the Heartbleed Bug
Part of the Heartbleed For Dummies Cheat Sheet
The Heartbleed computer bug is really, really bad! Fortunately, a Heartbleed security breach reveals random bits of data to an attacker in small, 64 kilobyte chunks. That makes it particularly difficult to target a specific individual. Most cybercriminals like to operate in the shadows and would prefer to steal one dollar from ten million unsuspecting individuals, rather than a thousand dollars from a few individuals. Still, you can't afford to be complacent.
Here's what you need to do now to protect yourself.
Stay informed. There are literally millions of websites, corporate systems and applications, and mobile apps that are potentially affected by the Heartbleed bug. Make a list of the different shopping, banking, social media and other "secure" websites that you visit (even infrequently) and track their progress toward patching their website against the Heartbleed vulnerability.
Inevitably, different websites will have their own timelines for patching and will also have different policies on how, or if, they communicate their status to their patrons and the general public.
Update your mobile devices. If you have an Android smartphone or tablet, ensure your device is compatible and update the software as soon as possible after the update is released. Also, install any available updates to your mobile apps.
Change your passwords after the fix is installed. You need to change your passwords as soon as possible. However, don't change passwords on websites or in applications that haven't yet been patched. If you aren't sure about the status of a website or application, don't change your password yet.
You should also change all of your passwords – even for websites and applications that aren't affected by the Heartbleed bug. If an attacker does find one of your passwords on an affected website and decides to target you specifically, it doesn't take much social engineering to find your other "non-affected" website accounts.
If you're like most people, you've probably reused some or all of your passwords on different sites. Your new password needs to be very different from your old passwords. Don't just change a couple of letters or numbers in your passwords – it'll be easy for an attacker to guess what changes you made.
Although different applications and websites have different password requirements, some password best practices include:
Use passwords with 7 or more characters
Use a combination of upper and lower case letters, numbers, and special characters (such as $, #, &, or %)
Don't include personal information in your password such as your spouse's name, your street address, or your birthday
When possible, use a nonsense phrase that you can easily remember
Watch for suspicious activity. Closely monitor your online accounts for any suspicious activity. Check your Internet e-mail "Sent Items" for possible spam being sent from your account, watch for unknown transactions in your bank or credit card accounts (even very small amounts – remember, a cybercriminal is more likely to steal small amounts to go unnoticed for as long as possible).
You should also monitor your credit report to ensure no one is opening new accounts in your name, and consider using an identity theft protection service.
Look out for scams and copycats. There inevitably will be scam artists and copycats looking to make some money from the Heartbleed bug. Look out for television commercials and online ads that offer to scan your computer for the vulnerability and "protect" you.
Spam and phishing e-mails are also likely to be more convincing if they appear to be coming from legitimate financial institutions that you do online business with. If you're in doubt about an e-mail communication you receive, contact your financial institution directly via phone or in person.