Heartbleed: An historic attack

What does Heartbleed mean for you, and what can you do?

Heartbleed - the name of the latest internet threat - may sound like something out of a horror film, but given our reliance on the web today and the extent of the bug's impacts, that may not be so far off. Security experts have classified it among the worst bugs of the past decade. Some are classifying it as an 11/10, and they are saying it could be years until confidence is fully restored. The threat essentially amounts to a weakness in the OPEN SSL protocol (a library of cryptographic tools most often used to protect passwords and personal data in transit from your computer to a server).

Have you ever noticed the little lock icon next to the internet address in your web browser? That icon signifies a secure connection, and generally speaking we all trusted it. But on April 7, security experts announced that for that past 2 years some hackers have been able to steal the data supposedly protected by that lock. Those same experts are calling the situation catastrophic.

The question everyone is asking, therefore, is "How can I protect myself?"

How can you protect yourself?

Unfortunately, most internet users are little more than spectators, relegated to watching what happens around us. There's not much we can do when it comes to such a wide-spread bug, other than way for the sites we connect to every day to implement fixes and patch the Heartbleed weakness. Once a fix is in place, users would be well-advised to change their passwords as soon as possible (of course, choosing a strong password, ideally with both upper-case and lower-case letters as well as numbers). It's important to understand, though, that changing your password won't help at all if that site hasn't implemented a new security measure and is still vulnerable to Heartbleed.

The outstanding question, then, is which sites have been affected, and which have been fixed. The answer is that most sites, including Facebook, Twitter, Google, and Yahoo, were affected. Since last week, most of them have put patches in place to protect against Heartbleed, hoping that the measures were not too late. Here's a link to a tool that will let you test the vulnerability of a site by entering its URL.

Don't forget that the small sites will take longer to find and implement fixes, so before opening any new accounts or sharing any information online, make sure that the site you're logging on to has been patched..

Next steps

Still to come: We're preparing an article on password managers, like LastPass and 1Password. These are powerful new tools that help users increase their personal security by strengthening passwords and locking down other aspects of your information. Expect it by the end of the week.

HeartBleed and your taxes

One last thing: Last week, the Canadian Revenue Agency shut down all online services as a precaution against the bug. They confirmed this weekend that security measures were put in place on Sunday, and that all online filing and other services are now once again available. On top of that, because of last week's service interruption, they've announced an extension on filing, and that reports filed after the April 30 deadline will not be penalized.

Comments are closed.