How to Protect Yourself
From the ‘Heartbleed’ bug
A new security bug means that people all across the Web are vulnerable to having their passwords and other sensitive data stolen. Here’s what consumers can do to protect themselves.
by Richard Nieva
A major new security vulnerability dubbed Heartbleed was disclosed Monday night with severe implications for the entire Web. The bug can scrape a server’s memory, where sensitive user data is stored, including private data such as usernames, passwords, and credit card numbers.
It’s an extremely serious issue, affecting some 500,000 servers, according to Netcraft, an Internet research firm. Here’s what you can do to make sure your information is protected, according to security experts contacted by CNET:
Do not log into accounts from afflicted sites until you’re sure the company has patched the problem. If the company hasn’t been forthcoming — confirming a fix or keeping you up to date with progress — reach out to its customer service teams for information, said John Miller, security research manager for TrustWave, a security and compliance firm.
Some Web sites that appeared to have been affected included Yahoo and OK Cupid, though the companies have said their sites are all or partly fixed (see below for details). You can check sites on an individual basis here, though caution is still advised even if the site gives you an “all clear” indication. If you’re given a red flag, avoid the site for now.
The natural response might be to want to change passwords immediately, but security experts suggest waiting for confirmation of a fix because further activity on a vulnerable site could exacerbate the problem.
Once you’ve got confirmation of a security patch, change passwords of sensitive accounts like banks and email first. Even if you’ve implemented two-factor authentication — which, in addition to a password asks for another piece of identifying information, like a code that’s been texted to you — changing that password is recommended.
Don’t be shy about reaching out to small businesses that have your data to make sure they are secure. While the high-profile companies like Yahoo and Imgur certainly know about the problem, small businesses might not even be aware of it, said TrustWave’s Miller. Be proactive about making sure your information is safe.
Keep a close eye on financial statements for the next few days. Because attackers can access a server’s memory for credit card information, it wouldn’t hurt to be on the lookout for unfamiliar charges on your bank statements.
Even after following these guidelines, there is still some riskiness in surfing the Web in the aftermath of the bug. Heartbleed is even said to affect browser cookies, which track users’ activity on a site, so even visiting a vulnerable site without logging in could be risky. The Tor Project, which stresses anonymity and privacy, wrote in a blog post that users with those needs “might want to stay away from the Internet entirely for the next few days while things settle.”