ATI's Heartbleed Bug Web Page
  INTRODUCTIONA quick summary of the bug
  WHAT to DO Detailed steps on what you need to do to protect yourself
  ABOUT the BUG Many links for more details about the bug

ATI's Heartbleed List       ATI Consulting Home Page

INTRODUCTION

By now you should have heard of the Heartbleed Internet bug announced on 4-7-2014. It’s a serious flaw in the OpenSSL security software used by an estimated two-thirds of the Web sites, services, and apps on the Internet. Said by many experts to be the worst Internet security bug ever, it’s been in place for over two years, but was only recently discovered. When exploited by malicious hackers, it can be used to gather all of your personal and sensitive information, such as usernames, passwords, credit card numbers, bank account information, stored files, and Social Security Numbers. Anything you thought was private and secure is at risk if a site, service, or app is vulnerable to the bug. From McAfee — "The severity of the Heartbleed vulnerability cannot be overstated. For the protection of your data, you need to assume that your credentials have been leaked via Heartbleed." In addition, when criminals exploit the bug, that activity goes undetected, as Heartbleed leaves no trace. So those companies vulnerable to the flaw will see no evidence of any wrong doing.

Not all companies were vulnerable, but MANY popular ones were, such as Cabela's, Dropbox, eHarmony, Espn.go.com, Etsy, Facebook, Flickr, Gmail, Google, Instagram, Match.com, Netflix, OKCupid, Pinterest, Tumblr, USPS, Weather Channel, Wordpress (free blog site), Yahoo, and YouTube, to name a few. And thousands of less popular Web sites and Internet services were also vulnerable.

Be sure to see this Web page – ATI's Heartbleed List it lists many popular and common Web sites, if they were vulnerable, and if you should change your password or contact the company.

What do you need to do now to protect yourself? Determine ALL devices you use to connect to the Internet. For each device, determine ALL of the Web sites, Internet services, and apps at which you have an account. For each account, determine if the company involved was vulnerable to the Heartbleed bug and if they have fixed their system yet. If they have, then change your password with that company. See the WHAT to DO section below for detailed steps. And be sure to alert anyone else you know using the Internet about this.

To learn more about the Heartbleed security flaw, see the ABOUT the BUG section below for many articles about the bug and what it means to the security of the Internet and to all of us.



WHAT to DO –
Detailed steps on what you need to do to protect yourself

A. Determine all your Internet accounts, then change your passwords and delete cookies, but only after each Web site, Internet service, or app has confirmed they have patched the Heartbleed bug and generated new security certificates.

1. Determine ALL devices you use to connect to the Internet, including, but limited to: computers, tablets, smart phones, and smart TVs.

NOTE: the bug could potentially affect any home (or business) device that's connected to the Internet, including a Wi-Fi-enabled Blu-ray player, as well as things like smart thermostats, security systems, and lighting systems.

2. Determine ALL your Internet accounts.

a. For each device, determine ALL of the Web sites, Internet services, and apps at which you have an account. Be sure to include all sites for:

Banks
Cable, Internet, phone,
satellite, TV providers
Computer hardware &
software
Dating services
Email
Financial
Gaming
Gas, electric, propane
Government
Internet providers
Health and medical
Media / news / sports
Messaging
Movies videos, TV shows
Music
Password managers
Photographs
Professional Associations
Real estate
Reference sites
Retail, shopping, and
commerce
Shipping services
Social networking
Taxes
Travel
Utility companies
Weather

to name a few, and ANY place where you have an account, and/or store or have shared sensitive information that you expect to be secure. Be sure to consider any app, Web site, or service that requires login credentials and goes to, or through, the Internet. Don't forget those places that store passwords and log you in automatically. 

b. Pull out all your records of accounts and passwords.

c. Look at all the bookmarks and favorites in your Web browsers (Internet Explorer, Firefox, Chrome, Safari, Opera, to name a few) for the sites you commonly visit where you have an account.

d. Browse through your computer, tablet, and smartphone apps, programs, and applications, and make note of any that sync or share your data with the Internet, and make note of the accounts involved.

e. If you're an Apple Mac user, look at the apps and sites listed in Keychain, which holds usernames and passwords. (Keychain is located in the Utilities folder within your Applications folder.)

f. If you use a password manager, take note of those accounts as well.

g. Android users can check on their device's Heartbleed risk using Lookout's Heartbleed Detector app, or use Bluebox Heartbleed Scanner to evaluate both the operating system and installed applications. According to Google, most gadgets that run its mobile operating system are safe from Heartbleed exploitation, except those that run Android 4.1.1. But Lookout claims that around 5% of Android 4.2.2 devices could be affected.

h. There's also a Heartbleed app for Windows Phone, though it's simply a URL checker.

i. Apple says its iOS (used in its iPads, iPhones, and iPod Touches) is not vulnerable to Heartbleed. But note that individual apps may be at risk.

3. For ALL Internet accounts, determine if the company involved was vulnerable to the Heartbleed bug. And if so, find out if they have they fully fixed things and reissued their digital security certificates.

The better sites, services, and apps MAY notify you in some form with an official announcement, somewhere. But do not to wait for or expect an official announcement. Even many of the bigger, more popular sites are doing a horrible job of informing their customers. You will need to find out on your own if a site, service, or app was vulnerable to the Heartbleed bug, and if so, if the flaw has been patched. The easiest way is to contact directly the company involved and ask them:

  • Were any of your Web sites, services, or apps at any time vulnerable to the Heartbleed Internet security bug? What about for any partners you have or vendors you use that handle our information? (Be sure to get a good solid answer either way, not a lot of corporate "double-talk.")
  • Do you have an official company statement, and it is presented somewhere online?
  • If you were NOT vulnerable, how and when will be letting us (all your customers) know that your system is safe?
  • If you WERE vulnerable –
    • Have you (and your partners/vendors) patched and/or updated your OpenSLL software to deal with Heartbleed flaw, revoked old SSL certificates, and generated new certificates and private security keys?
    • Have you (and your vendors) since run security tests to verify you are no longer vulnerable?
    • Is it now safe to change our passwords at your site, service, or app?
    • If you have not yet fixed things, when do you expect to do so?
    • How will you let us (all your customers) know when you have fixed things and that your system is now safe?

As Charlie Russell said very well on this Web page:

"When evaluating a Wes site or Internet service that you use, consider the following:

  • If a company says it was vulnerable and is working to fix the issue — then be afraid, as it may still be vulnerable. Stay out of the website, because logging in can expose your passwords. Wait until the company says it's safe, then quickly go in and change your password. Keep in mind that even if someone says there was no indication of a threat, one of the nasty aspects of this security hole is that it's impossible to detect if anyone stole information using Heartbleed. By this time, though, I don't think there will be many major websites with this status.[But it's all the vulnerable, unfixed non-major ones that could be trouble down the road.]

  • If a company says it used a vulnerable version of OpenSSL but fixed the problem, then change your password right away. Please use a unique password for each site, don't share passwords with multiple sites, and don't reuse old passwords.

  • If a company didn't use the vulnerable version of OpenSSL then you don't have any worries; the company wouldn't be affected by Heartbleed. However, since this bug has existed for several years, you should learn more – did the company ever use this version?

  • If a company uses Microsoft web technologies instead of OpenSSL then it's generally in the clear – Microsoft web technologies aren't vulnerable to Heartbleed. The only concern here is if the company used OpenSSL in some portion of its website."

Be sure to see this Web page – ATI's Heartbleed List it lists many popular and common Web sites, if they were vulnerable, and if you should change your password or contact the company.

There are also Heartbleed checker Web pages available, which check a Web site for the Heartbleed vulnerabiliy. Check these out, but do not put complete trust in them, as there is not agreement across them, and sometimes there are false results. If in doubt, contact any company you're not sure about. And be sure to check the URL used when you login to a site, not just its main URL.

Recommended Heartbleed Checker:

  • Heartbleed Checker, from Last Pass - appears much more accurate than the others, and/or it errors on the side of caution. If there's any doubt, and the checker indicates the company used and has updated their OpenSSL software and certificates, then change your password for that company's site.

Other Heartbleed Checkers:

  • Heartbleed Checker, at Hostgator
    • A report of SAFE means the site was vulnerable to the Heartbleed bug but has now been fixed so it's now safe to change your password. (Remember, changing your password before a site is patched will not protect you and your information.)
    • If it reports the site "did not use SSL" – you do not need to change your password.
    • If the site is still vulnerable, your best bet is to monitor activity on that account frequently looking for unauthorized activity.

  • Heartbleed Checker, from Filippo Valsord - the results are unclear, because it will say a site is "fixed or unaffected" -- and that's misleading because if a site is fixed you should change your password, and if a site is unaffected then you do not need to change your password. So be safe and change your password when you get those results.

  • Heartbleed Checker, from Qualys - for the technicians.

To be ultra safe, don't log into any site that is vulnerable until ATER it's been patched. Because Heartbleed is a live exploit, changing your password on an unpatched site is more likely to expose it than doing nothing. Avoid vulnerable sites until after you know they are fixed, and only then go to that site and change your password.

Adam Engst said, "Because the bug is now public, you should assume that any vulnerable Web site is under active attack, and if you have logged in since the bug was exposed, it's best to assume that someone may have your password and potentially any other data you transmitted in that session. ... any online criminal or intelligence agency worth its salt could be automatically hoovering up as much information as possible (from vulnerable Web sites)."

And for any site you find still vulnerable, gently "yell" at them for not implementing the patch for Heartbleed already. (It's been well-known now since 4-7-2014.)

Note that although major vendors and websites are scurrying to fix this problem now, smaller apps, services, and sites might take more time. It will likely take a very long time for every website to do so. Or worse, they might ignore the problem altogether! One expert said, "It will likely take years before the Heartbleed threat can be considered largely neutralized."

4. Once you know a vulnerable site, service, or app has fixed the Heartbleed bug, and only then, go to that site and change your password with them.

(DO NOT change the password if a site, service, or app has not fully dealt with the Heartbleed bug. Because if they have not, the password you give them now could still become known by criminals, and you’ll have to go back a second time and put in (yet another) new password after the site or service has fixed the bug.)

DO NOT use the same password across sites. Always use a unique password at eash site. If you used a password on a vulnerable site, and then used the same password on a safe site, you still need change your password on the safe site, too. In fact, if you used the same password across more than one site, if any of those sites were vulnerable, the password at all those sites may now be known by criminals. So the passwords at all sites involved must be changed, as well!

When changing passwords, be sure to create good, strong ones. See here for password recommendations.

If you're not using a password manager, get a good notebook to store your passwords in a very organized manner, so they are easy to find and read when you need them. Store that notebook in a safe and secure location where no one (but you) can find it.

Expect the need to change your passwords again as more security flaws arise. (You should be changing your passwords on a regular basis, already.) And expect the need for greater security, better passwords, and additional security measures as time goes by.

5. Note – As one expert said, "You won't (really) be done until EVERY (vulnerable) site you use has patched OpenSSL and reissued its digital certificates. (And then you've changed your password at that site,) There's no question, it's going to be a pain to stay on top of all that."

B. Delete cookies, cache, and browsing history for all Web sites involved.

Do this from within all Web browsers (on all your computers and other Internet devices), and use a cleaner utility that handles this type of data for a secondary cleaning.

C. Monitor your online accounts

For at least the next several weeks, keep an eye on any of your sensitive online accounts (banking, Webmail, etc.) for suspicious activity.

D. Should you be worried about your bank account?

YES. Many big banks don't use OpenSSL, but instead use proprietary encryption software. But many smaller banks may be vulnerable – it's still unclear.

To be sure, contact your bank directly for confirmation that their online banking Web site is secure.

Keep a close eye on any and all financial statements to make sure there are no unfamiliar charges.

E. Fix / delete secondary data

Users may need to delete encryption keys and other data to be secure. Hopefully sites, services, or apps will instruct users about what needs to be done. But do not expect all sites that need to, to do this!

F. Other To Do’s

Watch your email for notification from affected sites telling you it's now to reset your password. But now that so far, companies have done a very poor job of notifying customers. But be on the lookout for fake phishing messages posing at legit companis and luring you to malicous sites. To be safe, always enter the site’s URL directly into your browser rather than clicking on the reset-password link in the email message.

Be very diligent about downloading and installing any software updates you may receive.

Be on the lookout for all kinds of junk email coming out offering magic solutions to all your Heartbleed problems. They'll all be spam and contain malware or pointing to sites that contain malware. Know that there's no quick or easy fix for Heartbleed.

Install a browser extension (but note these have rather limited capability):

  • Such as Netcraft (for Chrome, Firefox, Opera) to see if sites you're visiting are affected and get browser notifications.

  • Firefox users — unstall the free add-on to check a site’s vulnerability and provide color-codes flags. Green means go and red means stop. You can download it here. But do not expect it to be 100% accurate.

  • Google Chrome users — install the Chromebleed Chrome extension. Once installed, you'll receive a warning any time you visit a site that was affected by Heartbleed. But do not expect it to be 100% accurate

Check with the company that makes any router you are using to see if they are vulnerable or are having any problems.

At any Wi-Fi location you use, ask if they have checked with the manufacturer of their router to make sure they are safe. If they don't know what you're talking about, tell them to contact their IT department, then consider going somewhere else.

Read the Web pages at the ABOUT the BUG section below (and elsewhere on the Web) to learn more about Heartbleed flaw and how it affects us all.

G. These Web sites offer some advise on what we all need to do because of Heartbleed:



ABOUT the BUG – Many articles about the Heartbleed bug, what it means to the security of the Internet, and to all of us.

Be sure to see this Web page – ATI's Heartbleed List it lists many popular and common Web sites, if they were vulnerable, and if you should change your password or contact the company.