You know those “secure” websites, like banks and eBay, where there is a little padlock in the address bar next to the URL? Well, apparently, in 2011 somebody sneezed when they were writing the security code that most of the banks and other “secure” websites use – and a bug landed in the code.
On Monday, someone in Finland and someone else at Google spotted that there was something wrong. They found the bug and realised that it is very. very easy for anyone to get your username, password and loads of other stuff when you log in to one of these “secure” sites. Not just that, but anyone can easily get these “secure” sites to tell them the user names and passwords of people who have logged in at some time in the past.
When I say “anyone” I mean, of course, that nerd next door and anyone else who understands the techie jokes in “Big Bang Theory”.
What is happening now is that all the nerds and “Big Bang Theory” fans are just playing around, testing different “secure” sites and seeing how much info they can download. Just for a larf. I’ve seen them at it on Nerd Forums!
Luckily, most nerds are not nasty but there will be other people out there who are not doing this for a larf.
Hackers can use this information several ways. For example:
- to impersonate you, eg. to log in to your bank account or email account (if you have a Yahoo! email account you DO need to change your password now).
- to impersonate a website, eg. to pretend to be that bank or online shopping site that you love and trust.
There is a lot of lengthy technical information about this on the internet – this article is short and intelligible to mere humans like you and me: Lifehacker Heartbleed Info
Great news, isn’t it?!
- What you DON’T want to do is go scurrying about changing all your passwords without checking first if the sites you use have updated their code.
- What you DO want do is check which passwords to update now and which ones to do later, when the affected secure sites have wiped their noses and got clean hankies in their pockets.
The easy way:
Use the LastPass Security Check – this is being updated to accommodate people who do not already store their usernames and passwords with LastPass.
- The Security Check will only show sites relevant to you and, of those, only those which are or have been affected by the Heartbleed bug. (By “you” I mean “the passwords and user names you have locked up safe and sound in your LastPass vault”. If you do not already do this, now would be a good time to start. )
- After you run the security check, some sites might have “Wait” next to them. If so, you need to go back and keep checking using this tool until it says “Go update!”. Once a day should be quite often enough.
The more tedious ways:
Use a site like this one to check each site individually http://filippo.io/Heartbleed/
That was the first site on the internet offering site security checks for Heartbleed. There are more and more just like it popping up all over the place. Be wary and only use a security checking site if you are sure it is legit.
- You do NOT need to pay for a Heartbleed Security Check – some sites are cashing in by charging for security checks but there are plenty of free ones around.
UPDATE: The first and last pages of this reader-friendly article from Mac Observer sum it up nicely – the middle pages explain the situation in more detail: “Dealing with Heartbleed – What you need to know“