Heartbleed Bug: Should you be panicking? Maybe
The term ‘Heartbleed Bug’ is generating panick across the Internet today and reasonably so because many websites have been affected by it… websites you’re probably using every day.
The threat of Heartbleed Bug is that it compromises web security, potentially leaking your vital username and password combinations for anyone to see and use against you.
How do you protect your website or your online activities from the attack? Here’s all you need to know.
What is the Heartbleed Bug?
The Heartbleed Bug (official reference no CVE-2014-0160) is a serious vulnerability or implementation flaw in websites that use OpenSSL software library: a type of Internet protocol that provides secure (cryptographic) communications in websites. The bug was found by Finnish security firm Codenomicon and Google Security last week and announced to the public on Monday.
OpenSSL is currently being used by banks, email and instant message providers, e-retailers and virtual private networks (VPNs). Websites that start with ‘https’ are just some of those that use this library.
Under normal conditions, OpenSSL protects information shared to websites that use it. But with the bug, anyone with Internet access can read and use secure information indiscriminately. This means that attackers can easily ‘eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.’
Am I affected by the bug?
Most probably, yes. Many websites use the OpenSSL library, including those you use every day like Facebook, Google and GMail, Yahoo! and Yahoo Mail, Tumblr and more. Company websites, hobby sites and even government websites using the library are also vulnerable to the attack.
The extent of the attack is unclear, but around 2/3 of websites use OpenSSL. Net monitoring company Netcraft projected that around 500,000 servers have been compromised by the bug.
Sites that use OpenSSL version 1.0.1 through 1.0.1f (inclusive) are vulnerable to the bug. Actually, Heartbleed Bug has been introduced to this specific OpenSSL version in 2011. More recent versions are not vulnerable while sites that have installed the OpenSSL 1.0.1g released this Monday fixes the bug.
How can I protect my information?
Many websites have announced that they have already fixed the problem. However, since your username and password might have been compromised, you need to change your password. Now that you are going to change your password you can as well use the following instruction to make a strong password that will be difficult to crack.
· Use a password that is the longest the website allows
· do not use common words (your niece’s name, your address etc)
· use passphrases instead of passwords (‘wait for me at home’ written as ‘w84me@home’)
· use a combination of letters, numbers and symbols (w84me@home4112014)
· you can also mix English and Tagalog or any other foreign languages you know.
Before changing your password, check out if the website has already updated its OpenSSL version or fixed the bug. Changing your password now without waiting for the website to update its software would mean giving away your new password to an infected website, rending your change of password useless.
Is FFE Magazine safe to use?
FFE Magazine is not using the SSL protocol and is not covered by the OpenSSL software library. This means that browsing FFE Magazine is safe.