I feel the Heartbleed under my feet…
I feel the Sky tum-b-ling down, tum-b-ling down!
OK maybe not the exact words. But it’s true, with all the talk about Heartbleeds, it certainly might seem like the world is falling around your feet.
It’s times like these when things can become a little too overwhelming in the techy world, but it is also times like these when I am grateful to have lots of great friends with technical no how.
In particular my long time online friend Kimberly Casteberry of Just Ask Kim always comes to the rescue in times such as these.
What is Heartbleed Beth?
Heartbleed is the name given to vulnerability in a piece of security software used by almost every secure website used by banks, shops, email providers and a whole raft of service providers online. You might be familiar with the little padlock symbol in the top left-hand corner of the web browser that denotes that there is a secure connection.
The lovely Kim, has broken all the hard bits down and made the whole heartbleed seem much simpler. These are mostly all Kim’s words, so to thank her you might also want to join her community here.
1) Sites that appeared to be using HTTPS to properly protect your passwords were potentially not very protected.
2) Every site affected – which is most but not all of them on the web that use SSL (HTTPS) – will have to update their server certificate and then YOU will need to change your password.
3) If you rushed and changed all your passwords, you’re likely going to be changing some of them again once the servers are patched. Updating before sites are patched can actually give the bad guys your new password info.
4) There are a lot of small sites, such as optimizepress.com, that are affected, that the media will never list. You’re going to need to use your LastPass security scanner to find these.
5) You must follow what is going on and you must update sites once they patch their security certificate.
6) Be wary of mandatory password reset emails that contain links as hackers are now sending out fake ones. If you get one, go type the URL in the address bar manually to avoid giving your credentials to the bad guys (or GALs)
7) If you use an SSL certificate on your website (for https) be sure to contact your hosting company for further information about your site.
8) If a website does not patch, it will continue to be attacked until all of the user data and passwords are known. This may include your data. So keep an eye on who has NOT patched in addition to who has.
9) This does NOT mean that your passwords have already been compromised – but it does mean that it is quite possible. And it’s more likely the more sites you used the same password on if you were lazy and did not use a unique password per site. (Use LastPass to make secure passwords easier.)
10) LastPass does not install anything on your computer. It’s not a keylogger. It does not steal data from your computer. It does not steal data from any site other than the vulnerable one.
I can vouch for Kimberly and LastPass. I have used it for years now and it’s invaluable. Especially at times like these. Please check out this list by Mashable showing all the major websites that you should start to update your passwords.
If you want to discuss this in more detail or if you just want some support, please come join the discussion with Kim herself here and tell her I sent you come join the discussion here.
Remember it’s really important not to update your passwords on sites that are still vulnerable. This will defeat the purpose. Check to see which sites are ready and updated for you to start changing your passwords.