A major Internet security vulnerability (CVE-2014-0160) known as Heartbleed has been discovered in the widely used encryption program OpenSSL. OpenSSL is the implementation of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols for transmitting secure information over the Internet. Servers for all your most common Internet applications – including web browsing, email, instant messaging and smartphone apps – likely use the SSL and TLS protocols.
This breach is expecially serious because OpenSSL is the most common Internet encryption program used; the Heartbleed Bug resides on Internet servers not individual computers; it went undetected for two years; and security breaches left no trace! Hackers were able to steal keys that protect communication, user passwords, stored files, bank and financial information and even social security numbers with impunity for 2 years! There’s no way to tell what sensitive information may have been compromised over the last two years.
Learn how to check a website for the Heartbleed Bug before you use it and how to your information – and yourself – from now on.
Good News, Bad News
The Good News – WCBS’ servers do not now have, nor have they ever had, the Heartbleed Bug. We can state categorically that absolutely no sensitive information transmitted to any of our websites has ever been compromised due to the Heartbleed Bug. How do we know? None of our servers have ever used any of the versions of OpenSSL that had the Heartbleed vulnerability. We take the security of our customers and their information very seriously! Passwords or any other information are never stored on our servers. (See earlier Post Trusted and Secure.)
The Bad News – All Internet shoppers must now assume that at least some of their sensitive information has been compromised. This is a major wake-up call. Internet technology has become too complicated and too advanced for problems and vulnerabilities not to exist. Credit and debit card fraud has nearly quadrupled in the past decade, hitting $11.3 billion in losses worldwide last year alone. In December, Target announced that up to 40 Million of their customers’ Debit and Credit Cards had been compromised! The consequences can be personally devastating. It is time to give take action to secure your passwords and financial information and guard against Identity Theft.
What You Can Do
1Check the Web Sites You Use – Symantec, who makes Norton Antivirus, has created an Online Test Utility for the Heartbleed Bug. Recommend that you check all sites from now on before transmitting any sensitive information.
2Install An Automatic Checker In Your Browser – Developer and cryptography consultant Filippo Valsorda developed developed browser Add-Ons for Firefox and Google Chrome that automatically check sites that you visit.
3Make your passwords long and strong – Combine both upper and lowercase letters with numbers and symbols to create a complicated, secure password. Don’t use common, easy-to-remember (guess) words or names like ‘princess’, ‘dragon’, sports terms like ‘baseball’ or ‘football’, animals like ‘dog’, ‘cat’ or ‘monkey’, easy-to-guess words like ‘letmein’, common swear words, strings of consecutive numbers or letters and, of course, never use the word ‘password.’ Most importantly, don’t use the same password repeatedly on multiple sites. If you use only one password and it’s discovered (like with the Heartbleed Bug), then every account you have can then be accessed compromised. The best practice is to make each and every password long, complicated and unique. Write your passwords down; keep them in a safe place. Change them regularly.
4Use Password Manager Software – There are now many good programs available with a range of features. A good place to start is to read PC Magazine’s review on The Best Password Managers. The best passwords are randomly generated. The only practical way to do that is to use a good Password Manager.
5Protect Your Online Identity – There are two schools of thought: 1) everyone needs an Identity Theft Protection service, and 2) Identity Theft Protection services are overly-hyped and not worth the money. Our recommendation is to educate yourself, survey the field, investigate options available, do what you can on your own and then decide if you need an additional dedicated program. For a start read:
- Consumers Report article Don’t Get Taken Guarding Your ID
- Consumer Federation of America report (PDF):
To Catch a Thief: Are Identity Theft Services Worth the Cost?
- Online Test Utility for the Heartbleed Bug at filippo.io
- Identity Theft Resource Center
- Privacy Rights Clearinghouse
- Federal Trade Commission
- 2014 PC Magazine reviews on The Best Password Managers
- Reviews.com 2014 reviews of the Top 10 Identity Theft Protection Services
- Consumer Federation of America Nine Things To Check When Shopping for Identity Theft Services