Monday, April 21, 2014

The Heartbleed wrap up

Lots of useful resources have been published in the wake of the exposure on April 7th of the "Heartbleed" bug.
Here's my pick of the best articles and resources available online - whether you need help, or you just want to know more.

What you need to do now (if you haven't already)


Check this list of popular sites to see if any you use were affected. If they were, it's important to change your password as soon as possible, as it could have already been stolen by attackers.
If you run a website then you need to do to check whether your site is vulnerable, and if it is, then there are actions you need to take to safeguard your customers and your data.
Test whether your site is vulnerable using this tool 
https://filippo.io/Heartbleed/
The official heartbleed website has information about what to do next if your site is vulnerable.

Understanding the problem
The problem is complex and not easy to understand. Lots of sites did a write up of the issue to explain it but some were more successful at this job than others.
I particularly like The Economist’s article entitled Digital Heart Attack and this cartoon in the xkcd series explains how an attacker can exploit the bug it an a very visual way.

Protecting your passwords going forward
Two unfortunate facts of modern life are that there are always going to be security issues and that passwords are going to get lost or stolen. The best single change you can make to protect yourself is to use two factor authentication – which means that to log in to the site you have to enter another piece of information as well as your password. It requires both "something you know" (like a password) and "something you have" (like your phone). It means that even if someone steals your password the “something you know”, they still can’t log in to your account unless they also have the “something you have”.
This video on youtube, created by Google does a really good job of explaining it and how to use it to protect your Google account.
This recent blog post by the Wall Street Journal explains how to enable it on 11 major web services including Google, Twitter, Facebook  and Apple.


Full list of links referenced
The Heartbleed Hit List: The Passwords You Need to Change Right Now http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/#:eyJzIjoiZiIsImkiOiJfYzZleDAwZGhtZGltaTl1ZyJ9


Heartbleed explanation by xkcd
http://xkcd.com/1354/

Official heartbleed site

Youtube video on two factor authentication
https://www.youtube.com/watch?v=zMabEyrtPRg



(This post was adapted from one I wrote for our internal company intranet site.)