Does your Heartbleed – what is it and should you be worried?

Heartbleed security flawEarlier this week the discovery of a major security flaw was announced and it may have exposed your personal data to hackers. The bug has been given the name Heartbleed and one security expert, Bruce Schneier, described it on a scale of 1-10 as an 11!

So, what is the Heartbleed?

Heartbleed is the name given to a flaw in a piece of software called OpenSSL and OpenSSL was designed to encrypt data between your computer and a secure website, so whenever you logged in to a web site that started HTTPS and displayed the golden padlock your browser could be interacting with OpenSSL.

OpenSSL is one of the most widely used encryption tools and it’s thought that about half a million sites have been affected, including Facebook, Gmail, YouTube, Yahoo and DropBox

All of the above, and many others, have been patched which means that the security flaw has been eliminated.

What to do?

A lot of people are recommending that you change your password for all your sites. However, that may not solve the problem, imagine changing a password for a site that has yet to be patched. You’ll feel secure but the site would still be vulnerable to hackers and even your changed password could be stolen.

Ideally, each website should either notify their subscribers whether they are at risk or post a message on their home page but some may not. Where you are unsure you should contact the company concerned directly and ask them whether they use OpenSSL and whether the vulnerability has been fixed.

If they don’t publish this information or answer your questions then password security vault provider, LastPass have made a Heartbleed checker available.

All you have to do is go to https://lastpass.com/heartbleed and enter the web address for any site you want to check out.

If you feel the need to change your password, please don’t use the world’s favourite “123456”, use something more complicated and harder to guess. There’s a simple solution on an earlier blog post about passwords, 123456 is not an exercise in counting.

If you are concerned about the overall security of your business IT then I can help, from a security strategy review, to advice on protection from viruses, or firewalls, or any other security-related issues just send me an email andy@enterprise-oms.co.uk or give me a call on 01793 238020.