Normally security is never an issue for those logging into a site or entering payment information. This is because most consumers are aware that we need to look for the little padlock and https:// on the sites we give personal information. What does that padlock and https:// mean? When you visit a secure site you will see a lock next to the URL, this means that your communications with the site are encrypted.
When a website wants to let you know that they are reliable and trustworthy, they use SSL (Secure Socket Layer). A browser connects to a website using SSL, the data that is transferred between the browser and server is encrypted. So all attackers see is data that looks like gibberish. Attackers have found a way around that encryption and the result has been mass panic.
OpenSSL software is built into Apache. Apache is a HTTP server that is used by approximately two-thirds of the world’s websites. Most SSL-encrypted sites are based on this open-source software package.
This Heartbleed bug was added to the OpenSSL software, accidentally. Accident? I will wait until all the facts are out before I decide if I believe that. A security engineer at Google Inc. and researchers at Finnish security company Codenomicon discovered the bug. Essentially this bug allows access to the memory of the server. Once the memory is accessed our usernames, passwords and credit card information are compromised.
The Heartbeat bug was introduced over 2 years ago. Systems that used releases before December 2011 as well as those that did not use OpenSSL are safe and secure.
What Now? How do we protect ourselves? Do not freak out, it is early in the game and the information flooding in will probably change at least a dozen times in the weeks to come.
Review online banking accounts frequently. If you see suspicious activity, call the fraud dept.
Do not change passwords until the website has been patched. If they have not updated, it is pointless.
- Use passwords of eight characters or more with mixed types of characters.
- Read updates on the virus from trusted news sources.
- Stay away from public Wi-Fi
- Do use a password manager – LastPass
- Download Software Updates when available
- Turn off your router’s remote access
Here is a list of larger sites patched so far -
- Google, YouTube and Gmail
- Yahoo, Yahoo Mail, Tumblr, Flickr
Sites you do not need to worry about are –
- AOL and Mapquest
- Bank of America
- Capital One bank
- Charles Schwab
- Chase bank
- HSBC bank
- Microsoft, Hotmail and Outlook
- PNC bank
- TD Ameritrade
- U.S. Bank
- Wells Fargo
Do not change these yet – Unclear
- American Express
- Apple, iCloud and iTunes
Bottom line is to just be aware. This is not the first time this has happened (although not on this scale) and it will not be the last. So take a deep breath and remember “This too shall pass.”
Lori Davis, Office Manager and Accounting