This post was contributed by a community member. The views expressed here are the author's own.

Health & Fitness

Here's What to Do About "Heartbleed" Bug

The flaw, discovered on April 7 but apparently in existence for two years, means that attackers can copy a server's digital keys and use them to impersonate servers to decode communications from the past and, potentially, the future.

Unless you’ve been vacationing on a tropical island for the past few days, you’ve likely heard of the “Heartbleed” bug, a computer security vulnerability that can reveal the contents of a server’s memory and expose private data such as user names, passwords and even credit card information.

The Heartbleed bug exploits a flaw in the Secure Sockets Layer (SSL) of popular open source software called OpenSSL.  SSL is the standard security technology that establishes an encrypted link between a user’s web browser and the server where a website is hosted.  It is used to secure numerous kinds of data transfers, including email, instant messaging, social media, and business transactions.  Encryption is essential to Internet security.

The flaw, discovered on April 7 but apparently in existence for two years, means that attackers can copy a server’s digital keys and use them to impersonate servers to decode communications from the past (and, potentially, the future).

For businesses:
BBB recommends that businesses immediately check to see if their website(s) use Open SSL or have been vulnerable.  One way to check, recommended by tech/media website CNET, is a tool developed by a cryptography consultant.  If vulnerability exists, businesses should work with their IT department or computer professional to install a more secure SSL on their websites.

For systems administrators:
Systems administrators should follow the advice of US-CERT, the Computer Emergency Response Team.  Although this information comes from the U.S. government, it is applicable to systems in other countries.

For consumers:
CNET has also published a list of the top 100 websites, which it is updating regularly as it checks for vulnerabilities and repairs.  Consumers can check this list or use the tool mentioned above to see if websites they regularly use are free of problems, or have fixed vulnerabilities.

It’s also imperative that consumers change passwords on all sites, particularly those that retain personal identifying information.  Change your password after confirming that the site is not vulnerable or has fixed its SSL.

The “Stop. Think. Connect.” campaign offers the following suggestions to protect your identity:

Secure your accounts:  Ask for protection beyond passwords.  Many account providers now offer additional ways for you verify who you are before you conduct business on that site.

Make passwords long and strong:  Combine capital and lowercase letters with numbers and symbols to create a more secure password.

Find out what's happening in Hamdenwith free, real-time updates from Patch.

Unique account, unique password:  Separate passwords for every account helps to thwart cybercriminals.

Write it down and keep it safe:  Everyone can forget a password.  Keep a list that’s stored in a safe, secure place away from your computer.

Find out what's happening in Hamdenwith free, real-time updates from Patch.

Own your online presence:  When available, set the privacy and security settings on websites to your comfort level for information sharing.  It’s ok to limit how and with whom you share information.

BBB also suggests choosing passwords that are phrases (for instance, ilovetofish) and making each letter "O" into a zero to make the password more complex. Look into password management software to help you keep track of really “long and strong” passwords.

BBB’s servers do not use Open Source SSL.  All of its websites have been checked and found to be free of vulnerabilities.

-By Howard Schwartz, Executive Communications Director, Connecticut Better Business Bureau 

Do you like Connecticut Better Business Bureau posts?   If you don't want to miss any of our helpful posts, you can subscribe to our blog by clicking this link and then click "Get email updates," and our posts will arrive in your email. 

We’ve removed the ability to reply as we work to make improvements. Learn more here

The views expressed in this post are the author's own. Want to post on Patch?