This may seem like the winter that won’t end, but that’s no excuse to delay spring cleaning your tech.
The first round this year has to be your passwords. Even if you’re not normally too conscientious in this regard, all of the press on the Heartbleed bug should give you the kick-start you need.
If you haven’t heard already, and it would be hard to avoid the topic, Heartbleed is a recently announced vulnerability in online communication security implemented using the open source toolkit called OpenSSL.
Think of SSL (Secure Socket Layer) as a scrambler for online communication. You’ll notice that a website is using SSL if the web addresses in your browser have an “s” in addition to the regular “http.”
That extra “s” is often accompanied by the image of a padlock, giving you the extra reassurance that your communication is locked down.
It is well known that online communication may be intercepted while it is transferred to and from your computer. The idea behind SSL is to make that communication unreadable without the secure key to the scrambled message. And that’s where the Heartbleed bug comes in.
When exploited, this bug allows an attacker to request small extra bits of information from your computer while it is using the supposedly secure method of communication. Once enough information has been collected, the attacker then sorts through and can find the private key required to unlock all of the scrambled data, including your username and password.
What makes Heartbleed so scary is the scope of the vulnerability. First, the vulnerable version of OpenSSL was released more than two years ago.
That is an incredibly wide window of opportunity. Second, OpenSSL is so widely implemented that it is estimated that two thirds of servers around the world use it. Not all of these have the vulnerable version of OpenSSL but it is still incredibly widespread.
What can you do?
Since this vulnerability is found on servers around the world, fixing it directly is out of your control. What you can do is practice good password hygiene.
Most of the affected servers out there have been patched at this point so you can go ahead and start updating your passwords. In many cases you have already received an email directing you to do just that. Until the servers were actually patched there was no point to doing so because an attacker could read your new password as easily as it did your old one.
If you aren’t sure if a particular service was vulnerable or if it has been patched yet, look it up. Not sure if you need to bother? Here’s a quick rundown of a few of the many websites and services affected: Facebook, Google (gmail, YouTube), Yahoo, Tumblr, Instagram, Pinterest, Netflix, Etsy and even the Canada Revenue Agency.
A couple of ideas for password hygiene. First of all, stop thinking of it as a word.
Try a phrase instead. A handy trick is to think of a quote that you will always remember and then pick the first or second letter from each word in that quote.
Toss in a couple of special characters and numbers and you’re all set. Next, and you may not like this, use a different password everywhere.
Seriously, if someone can get access to a single account, it’s a no brainer to get access to the rest if your passwords are the same. Finally, make password changes a regular thing. Every three months is a good rule of thumb.
Jon Reid is an IT professional working in Corner Brook. His column appears every other Tuesday in The Western Star.