|
||||||||
The recent surfacing of the Heartbleed bug, and all the publicity and discussion that ensued, points to some old, and new, truths about computer bugs. In a nutshell, with the Heartbleed bug as with others, don't panic. But you can take some reasonable, measured actions. The Heartbleed bug is a defect in a web infrastructure program that can make it easier for bad guys to steal your logins and passwords at many websites, perhaps even your credit card or banking account information. But at this time, it appears that not many people have gotten fleeced. As always happens when a major Internet vulnerability surfaces, some Internet security companies and journalists have painted a scary picture. Such fear can be as bad or worse than the problem. There's no need to stop doing online shopping or banking, just as there's no need to stop driving if you hear about a major car recall. The software in question is called OpenSSL. It's a free and widely used method of encrypting data that's typed into websites, including passwords. The SSL part stands for Secure Sockets Layer. All websites that display addresses beginning with https use SSL, but only those that use certain versions of OpenSSL are affected by this bug. The bug has been around for more than two years, but it was only just discovered, independently, by security firm Codenomicon and Google researcher Neel Meht. The bug was caused by an OpenSSL programmer who appears to have simply goofed. Since it was discovered, websites have been feverishly implementing fixes, trying to beat the crooks who might take advantage of it. Most banks and other financial institutions don't use OpenSSL, but instead use proprietary encryption software. However, some popular sites, such as Yahoo, were affected. Shortly after Yahoo announced that, it began making appropriate corrections. What can you do? First, here's what you shouldn't do. Don't rush off and change all of your passwords. If a particular website using an affected version of OpenSSL hasn't implemented a fix, this could make it even easier for a hacker to nab you. Check with the websites you use to confirm that they're secure. Or you can use the tests at sites such as Lastpass (www.lastpass.com/heartbleed) and Qualys www.ssllabs.com/ssltest/ to check whether specific sites are vulnerable. The following security safeguards can also make good sense in dealing with the Heartbleed bug and for reducing your exposure to future vulnerabilities as well. If a particular website you frequent uses dual-factor authentication, sometimes called two-step verification, use it. Dual-factor authentication requires you, when gaining access, to provide along with a password a second piece of information, such as answering a security question about, for example, your mother's maiden name or returning a code that has been texted to you. Using dual-factor authentication is particularly important with sensitive sites such as banks, credit card companies, and investment companies. If you're already using it, you already have less exposure. Keep a close eye on credit card, bank account, and other financial statements. If you spot unfamiliar charges, investigate them. Not many people change their passwords on a regular basis. But doing so is a frequently recommended security precaution, as is not using the same password at multiple sites. If you don't want to bother remembering or safely recording passwords yourself, you can use a password management program such as Lastpass (www.lastpass.com) or KeePass (www.keepass.info). Use a strong password. Many websites today require you to use a password that consists of at least eight characters made up of both letters and numbers, which makes it more difficult to crack. But many security experts recommend at least 12 characters and that passwords also include uppercase and lowercase letters as well as symbols. Better yet, use a "passphrase." This is a short sentence that's easy to remember, not too difficult to type, and very difficult to crack, such as "Go forth 4 ever&more." Some people still use passwords that are grade-school simple to crack, such as "password," "12345678," or "abcd1234." The Heartbleed bug has many predecessors. According to popular mythology, the term "computer bug" came about when a moth flew into a U.S. Navy computer in 1945, jamming a relay. In reality the word "bug" was used as far back as Thomas Edison's time to signify a glitch in a mechanical system. Most computer bugs, like the Heartbleed bug, are mistakes caused by software programmers, while others are hardware glitches. Some "bugs" aren't software or hardware problems but instead are snafus caused by users not following directions. Reid Goldsborough is a syndicated columnist and author of the book Straight Talk About the Information Superhighway. He can be reached at reidgoldsborough@gmail.com or reidgold.com. |
||||||||
|