Unless you are just returning from a vacation where you disconnected from technology, you know about Heartbleed - the OpenSSL bug. Heartbleed is being hailed as the biggest hacker window the internet has ever seen. More than two-thirds of websites we visit may have had a password security hole the size of Texas for two years. Not much information yet on the degree of exploitation that took place. But here’s what you need to know to get safe:
Marketing software vulnerabilities
Major players in marketing software like HubSpot, Marketo, Pardot, Wordpress, and PR Web have already installed a Heartbleed patch. Although some say they don’t think they were vulnerable, it is still recommended to change your passwords. The scary but true fact is that there is no security logging available about this bug that would list penetrations.
For more information about what caused Heartbleed, check out this blog from one of our IT clients. This is where we found the great cartoon that so accurately and humorously sums up the Heartbleed threat to our private data.
Device vulnerabilities
Lots of stories out there about vulnerabilities in dozens of networking devices from companies like Cisco. Check with your IT support to determine if your devices pose a threat.
Personal devices like smart phones may also be at risk. Here is a good summary about Android phones and Heartbleed. It appears Android 4.1.1 Jelly Bean, a version which accounts for a third of all Android phones, is susceptible to Heartbleed.
Apple says it never used the vulnerable software in its web-based services like iTunes or the iCloud so you don’t need to change those passwords. But that doesn’t mean the data on your Apple devices isn’t at risk from a password breach on the sites you frequent.
More here on Apple.
The critical 2 steps to get password security
It is not recommended to just change every password. Here’s what security experts say:
1) Find out if the websites that have password information from you have updated their security software with a Heartbleed patch. Here’s a free tool Mcafee announced yesterday.
There are others like it. Just choose one and enter the website url in the search box and you can find out if a patch has been made.
2) Once you determine the website url has been updated to fix a Heartbleed vulnerability, then change your passwords. If you go straight to password updates without determining if a patch is in place, you won’t be protected once the patch is installed.
Rethink your passwords
This is a good time to rethink your password strategy and find a system you can remember and change on a regular basis.
Consider password services like Lastpass or 1pass.
Internal and External Communication is key
You aren’t the only one freaking out about Heartbleed. Your customers are too, so if you have not yet communicated to them the current status, send an email and post the information on your website.
Internal communication is just as important. Make sure your employees understand the company talking points on Heartbleed and what passwords they should be changing.
To get more timely tips like this, sign up for our blog.
