My Heart is Bleeding
A funny name for a serious bug. -- Bill Napier
You may have heard about it in the news, but may be unsure of what to do about it. I know this because I've had a number of people already ask me what they should do about it. Let me enlighten you.
What's the problem?
So I'll try and explain it two ways. Semi-technical, at a level most people who are familiar with computers should understand. And then as an analogy, for those of you who don't understand the first explanation.
The bug is in openssl, which is a library used in many (many) please to do secure communications. If you see "https" in your browser, there is a chance that the site you're talking to is protected via openssl.
Without going into specifics on the bug (Check out http://heartbleed.com/ or the CVE for more specifics there), the bug (essentially) allows an attacker to access anything the webserver can access. For most websites, this could mean everything. Usernames, password, credit cards, SSN, tax returns, etc. Or even use it as a starting off point for exploiting another bug and creating a backdoor.
When you leave your house, you lock all the doors, right? Imagine that your door lock had a bug in it (a design flaw) that allowed an attacker (theif?) access to your home without you even knowing that they have been there. Obviously they can do the easy stuff. Steal your TV and your jewels. They could also be rather annoying and steal your Social Security card and birth certificate and passport and start impersonating you (Identity theft). Or they could come in and just put up hidden cameras and bugs and a backdoor into the house so they can come and go and do whatever they want, even after you've changed the locks.
Hold me, I'm scared
So first of, not every website is affected. There are some site (I like LastPass) that will check if services you use are affected or not. As you can see from this infographic, a lot of the financial sites are fine.
Should I change my passwords then?
Short and sweet? Maybe.
Here's the tricky part. The bug has existed for 2 years. As far as we know, nobody knew about it until December (at which point the bug was fixed and a release pushed). There is a slight chance that black-hat hackers silenty discovered the bug first and have been using it prior to December, but it's not thought that is a huge risk. So even if a site you use has the bug for a bit, you may be safe.
Prior to this weeks announcemnt, the good guys (white-hats) knew about it, but that doesn't really change the risk profile. Things changed this week when a tool was release that exploited the bug to recover recent traffic sent to and from sites with the bug. This made things much riskier because it makes it easier. Anybody could download this tool, click a few buttons, and possibly catch your username and password while you were logging into the site. And chances are people did.
Keep in mind that it makes no sense you change your password until the site has the bug fixed. Otherwise you're new password will be at just as much risk as your old one.
Levels of Paranoia
If you're a tin-foil-wearing-hat kinda guy, you should probably change any and all password for any site that has ever been affected by the bug (once they have fixed it of course). This isn't feasible for most people. In my LastPass vault I've easily got 150 passwords, and I know there are some that it doesn't know about (usually due to laziness).
A more reasonable approach would be to change the password for any affected site that you've accessed since (say) 4/5/2014. (again, once they have fixed the bug). And by affected I mean affected after the tool was release. Sites (like Google) that patched it prior to the tools release are probably ok. Even if you haven't entered the password during that "risky" window, you should do it to get a new login cookie. This should protect you aginst any of those "Script Kiddies" who downloaded the exploit and immediately started snooping traffic. This is a case of fixing things that we know are a problem (we know that people are going to be doing this) vs. fixing things we think may have happened (a more sophisticated custom attack).
I can't recommend doing nothing at all. At the least you should check any important sites (as defined by you) and change your password if accessed inside that risky window. For me, this is anything to do with money. PayPal, Google (wallet/play/drive/gmail), banks, credit cards, etc. Should hopefully be a smaller list that the full 150+.
Any other reccomendations
I'm going to plug LastPass again. the basic gist of what they do is keep track of all your passwords. This is handy so if something like this happens again, you have a list of sites you go to rather than trying to figure that list out. LassPass also has a proven record of trying to inform and protect their customers and their tool can already tell me which of my sites have been affected and if it's time to change my password there or not (depending on fixed status).
An additional protection is its ability to handle site-specific passwords, where each site has it's own unique password. If you don't have site-specific passwords, it may be possible for an attacker to gain your username/password from a HeartBleed affected site and then start trying it against "safe sites". If each site has its own password, this isn't an issue.
And I promise I'm not a LastPass shill. I get no compensation for this post, just a VERY happy customer.
Please turn on second factor authentication on any site that offers it. This also provides defense-in-depth as even if an attacker gains your password via another bug, without having access to your second factor, they cannot access your acount. I wish more services had this kind of setup (banks, I'm looking at you).
Krebs is great. You should just read his stuff because.