By David Gracey
There has been a lot of news coverage recently on the latest bug discovered in the cyber world. We know it’s big if such a security hole is discussed on mainstream local and national news. Based on the amount of coverage recently, chances are very high that you’ve heard of the HeartBleed bug. Most of the stories I have seen are full of technical jargon, so this is an attempt to explain what the issue is in English and describe the steps (if any) that you should be taking to protect yourself.
For the most part, unless you have a law firm, medical practice, financial group – or any type of company – that runs a website which requires your customers to login or performs financial transactions over the web, there are just a few simple steps you need to take to keep safe. If you ARE a company with a website, I’ve got a great IT company who can help you out.
What is it? HeartBleed is not a virus or spyware that infects your computer. Instead, it is the name of a bug in the computer code that runs many websites. A great way I heard it described was if you had spelled the word “Mississippi” incorrectly and the misspelling made it through peer review. It was an honest mistake by the programmer and was not intended to be malicious. If fact, the company that writes this piece of code is a non-profit and is “open sourced,” meaning anyone can see and review the source code. It was because of this open nature of the code that the bug was detected. A patch has been released, but rolling out the fix is not quite so simple. Every copy of this software code must be patched and, depending on the company, that can take some time.
How does it work? Most computer interactions, including email, are done so without using any type of encryption. That is, electronically securing the communication. So browsing the web, making a phone call over the Internet or sending emails all use regular, non-encrypted communication. But important stuff, like logging into a bank website or placing an online order with a credit card requires a secure connection between your computer and the website. With this bug in place, it is possible for a bad guy to “listen” to the supposedly secure electronic conversation and he (bad nerds are almost all male) can steal the information.
Change Passwords (maybe). There are a few companies who have come forward and have applied the fixes to their websites. If you have an account with one of the following companies, it is important that you immediately change your password:
- Google, YouTube and Gmail
- Yahoo, Yahoo Mail, Tumblr, Flickr
These websites are unaffected and there is no need to change your password for them:
- Apple, iCloud, iTunes
- AOL / Mapquest
- Bank of America
- Capital One bank
- Charles Schwab
- Chase bank
- Healthcare.gov (if you believe them)
- HSBC bank
- Microsoft, Hotmail, Outlook
- PNC bank
- TD Ameritrade
- U.S. Bank
- Wells Fargo
Make sure your computer is updated. As always, make sure your computer is updated with the latest software patches from Microsoft and have a good (and current) anti-virus software. See our prior blog for updating your software: Apply Updates.
For the latest information for the bug, click here.