Tech-Friendly: What you need to know about the Heartbleed security threat

April 16, 2014

Paul Gorski

Paul Gorski

By Paul Gorski

The Internet has been flooded with news, dire stories and misleading articles about a recently discovered defect in server security software, the defect otherwise known as “Heartbleed.”

The Heartbleed bug is a defect in OpenSSL security software, software that is supposed to secure your connections with your bank, credit card company and online stores. The potential threat comes from the fact this defect could allow hackers to steal small chunks of data from those secure connections, possibly capturing your passwords and financial data.

First, the Hearlbleed bug is not a virus or malware on your computer, tablet or smartphone. Your anti-virus software will not catch it or protect you against it.

Second, the Heartbleed bug is a defect in security software installed on some web servers. Not all web servers are affected by this bug. Contact your bank, credit card company, and the stores you shop at online to see if their web servers are affected by the Heartbleed bug. If the answer is “yes,” ask them when the problem will be resolved. Do not use those services until the problem is resolved.

Third, the Heartbleed bug only affects websites (or mobile apps) where you enter passwords, financial data and personal data. Just browsing The Rock River Times is not a threat or problem. (We encourage you to browse rockrivertimes.com!)

Fourth, contrary to misleading articles on the Internet, Mac users are not immune to this bug, as the bug affects the server computers you connect to, not your personal computer. Windows, Macintosh and Linux computer users, and tablet and smartphone users, could have had their information captured or compromised through an affected server.

That said, there’s not much you can do other than contacting your bank, credit card company and your online stores to ask them about the Heartbleed bug. Once they have told you their websites are either fixed or unaffected, I urge you to change your passwords for those sites. I have written previously about creating strong passwords, and I will offer much of the same advice here.

You should keep different passwords for your different accounts, Wi-Fi, e-mail, banking and more, and you should change all of your passwords at least twice per year. You should also avoid sending passwords and sensitive account information in e-mails.

Passwords should not be words found in the dictionary, pet names or proper names. Passwords should be at least eight characters in length, the longer the better — go for 14 characters, if you can. “Strong” passwords include numbers, special characters and a combination of upper- and lower-case characters.

Microsoft, in uncharacteristic fashion, has a good article about creating relatively strong passwords at http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password.

A recent trend has been to use passphrases, or combinations of words, to create more secure passwords. However, passphrases are not always as effective as long, random passwords meeting the mix of characters noted above. When the passphrase fad started, people were creating sentences, like “iwalkmydog.” That is still too easy to hack.

Passphrases created with random associations of words are better; example: “jumpratbluealcatraz!” Unfortunately, some online sites will force you to use the more traditional strong password model described earlier. That is fine; just remember to use different passwords for your different accounts.

I strongly recommend disabling “storing” or “keeping” passwords in your browser. Not storing the password will force you to remember it, and hopefully remind you to change it periodically. In addition, when the password is stored, anyone using your computer login will have access to your accounts, as you have probably stored a link to your account in addition to storing the password.

Again, as a rule, change your passwords regularly. With regards to the Heartbleed bug, change your password only after you have received word from your bank, store or credit card company that their service is now fixed or was not affected. Changing your password before your financial service has updated its servers might expose your password to hackers.

I hope that by the time you read this article most reputable companies will have patched their security software and fixed this bug.

Paul Gorski (www.paulgorski.com) has been a technology manager nearly 20 years, specializing in workflow solutions for printing, publishing and advertising computer users. Originally destined to be a chemist, his interest in computers began in college when he wrote a program to analyze data from lab instruments he hard-wired to the back of an Apple Iie.

Posted April 16, 2014

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>