Recently, the news has been full of the Heartbleed vulnerability that’s been identified. Across the board, companies and consumers are trying to find out what they can do to make sure they are secure. I’m going to take a step back and take a look at what Heartbleed is and what we can do to protect ourselves from it.
The Heartbleed risk affects some websites that use a piece of software called OpenSSL to encrypt the private data that users exchange with them. You know this encryption is in place when you can see the padlock sign in the web address bar and/or the web address starts with ‘https’ (on the upper left hand of your screen). It’s worth noting there are different versions of SSL so not all websites displaying the padlock are affected. The websites implement these measures to help keep us safe and so that an attacker cannot see the information we exchange with the website.
To make these websites useable, OpenSSL adopts something called ‘heartbeats’ that allows you to stay on the website without continually having to re-establish the connection. It’s with these heartbeats that there is a risk which potentially leaves the door open for a cybercriminal to step in and steal user data like log-in details, passwords and financial data from the website’s server. The technology community has dubbed this vulnerability “Heartbleed”.
According to Netcraft, approximately 17.5% of internet servers run OpenSSL software, so this has the potential to be quite a serious problem. However, it is certain that any reputable organization that has public web servers using SSL is already auditing and addressing any potential issues.
Steps you can take
We can reassure our customers that, as a priority, we have taken the precaution of auditing our own web servers. But what about other websites? We would strongly recommend you change your passwords on the websites and on any web accessible services, such as online banking, that they use. That said, you should only change your password if the site has already been patched. There are a few other simple steps that you can also take to ensure that you are protected online against all threats.
AVG Web TuneUp
To help our customers, we have integrated a Heartbleed scanner in to AVG Web TuneUp. This will alert PC users if the site you are visiting is potentially still affected by this security risk. To get more information and to download AVG Web TuneUp, click here.
Use a passphrase:
We’ve all seen the lists of most common and easily cracked passwords like “123abc” or even “password”. The most important factor when it comes to password security is length. The longer and more mixed the better. That’s why we recommend having a passphrase instead of a word. It could be a line from your favorite film or song or just something personal such as:
The rule of thumb is that your passwords should include a capital letter, a number and a special character, and most importantly, that you can remember it.
Different details for different sites
Ideally, try to have different login details and passwords for every website on which you have an account. That way, any single breach of security on a single site does not compromise your identity on every site that you access.
Have up-to-date security software
Many of us allow our security software to lapse due to renewal subscriptions or we just put off updating our free products to the latest version. Don’t put this task off to another day – updating and being up-to-date means that we have the latest defense mechanisms active and working to protect us from most cybercriminals.
At www.avg.com, you can choose from our range of free and subscription protection products. Our AVG Zen app also helps you manage the security status of all your devices all from one place. We have over 177 million people actively using our products to protect them online today.
Think twice about signing up for any web service that asks you to create an account. Ask yourself: Do I need it and will I use it often? If in doubt, don’t register and limit the number of websites that hold your information.
Two step authentication:
Several popular websites have now enabled two-factor authentication. This simply means they require a special code generated by a device or an app which confirms you as the owner of the account. They have been around for a while in the online banking world but they are now available for services like Gmail and Dropbox.
Since Heartbleed was discovered, websites have been working hard to make sure they and their customers have not been affected and to address any compromises. We would urge consumers to make sure they have followed these basic steps to help make sure they are taking important steps to being safe online.
If you are unsure if the sites you visit have been affected, we suggest you install AVG Web TuneUp to give you peace of mind. In the video below, you can watch me discuss more about the Heartbleed vulnerability.
April 18, 2014