Lots of useful resources have been published in the wake of the exposure on
April 7th of the "Heartbleed" bug.
Here's my pick of the best articles and resources available online - whether you need help, or you just want to know more.
What you need to do now (if you haven't already)
Check this list of popular sites to see if any you use were affected. If they were, it's important to change your password as soon as possible, as it could have already been stolen by attackers.
Here's my pick of the best articles and resources available online - whether you need help, or you just want to know more.
What you need to do now (if you haven't already)
Check this list of popular sites to see if any you use were affected. If they were, it's important to change your password as soon as possible, as it could have already been stolen by attackers.
If you run a website then you need to do to check whether
your site is vulnerable, and if it is, then there are actions you need to take
to safeguard your customers and your data.
Test whether your site is vulnerable using this tool https://filippo.io/Heartbleed/
Test whether your site is vulnerable using this tool https://filippo.io/Heartbleed/
The official heartbleed website has information about what to do next if your site is vulnerable.
Understanding the problem
The problem is complex and not easy to understand. Lots of
sites did a write up of the issue to explain it but some were more successful
at this job than others.
I particularly like The Economist’s article entitled Digital
Heart Attack and this cartoon in the
xkcd series explains how an attacker can exploit the bug it an a very visual
way.
Protecting your
passwords going forward
Two unfortunate facts of modern life are that there are
always going to be security issues and that passwords are going to get lost or
stolen. The best single change you can make to protect yourself is to use two
factor authentication – which means that to log in to the site you have to
enter another piece of information as well as your password. It requires both
"something you know" (like a password) and "something you
have" (like your phone). It means that even if someone steals your
password the “something you know”, they still can’t log in to your account
unless they also have the “something you have”.
This
video on youtube, created by Google does a really good job of explaining it
and how to use it to protect your Google account.
This recent blog
post by the Wall Street Journal explains how to enable it on 11 major web
services including Google, Twitter, Facebook
and Apple.
Full list of links referenced
The Heartbleed Hit List: The Passwords You Need to Change Right Now http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/#:eyJzIjoiZiIsImkiOiJfYzZleDAwZGhtZGltaTl1ZyJ9
The Economist: Digital
heart attack (April 12th 2014) http://www.economist.com/news/business/21600691-flaw-popular-internet-security-software-could-have-serious-consequences-all-sorts
Heartbleed explanation
by xkcd
http://xkcd.com/1354/
http://xkcd.com/1354/
Official heartbleed site
Youtube video on two factor authentication
https://www.youtube.com/watch?v=zMabEyrtPRg
https://www.youtube.com/watch?v=zMabEyrtPRg
Safety First! How to Sign Up for Two-Step Verification on 11
Top Online Services http://blogs.wsj.com/personal-technology/2014/04/11/safety-first-how-to-sign-up-for-two-step-verification-on-11-top-online-services/
(This post was adapted from one I wrote for our internal company intranet site.)