Heartbleed Checklist

A Guide To Cyber Security

heartbleed-smallIn the wake of heartbleed many of us should be either changing all our computer passwords or have done so already. Although initially misconceived as a virus it is in fact a simple coding error which affects over two thirds of internet users. Heartbleed can be described as a coding bug which affects the code running on website servers.

The bug currently allows anyone on the internet to read the memory of the systems protected by the popular OpenSSL cryptographic software library. It has been identified as potentially giving access to encrypted traffic, names, passwords and content of users.

But all is not as extreme as it appears. We have asked our IT department and our web development team to help us with a blog that will look at some of the key facts of Heartbleed and what you can do to protect yourself.

Before we begin there are a large number of commonly used sites that it has been reported are not currently affected by the bug which we hope will put your mind at ease about the issue. These include some of the following.

  • Amazon.com
  • eBay
  • Groupon
  • TripAdvisor
  • Paypal

www.cnet.com have created an extensive list of the 100 most common used sites and updates on whether they have patched the heartbleed bug yet or not available at this link.

Some of the sites that have you may use that have been affected by the bug include;

  • Google
  • Facebook
  • Twitter
  • Dropbox
  • Bing
  • Wordpress

To ensure that all information you enter or use online remains secure we have come up with some quick wins to help you avoid becoming one of the many people who have been affected by the bug.

  1. Check what sites you currently use are affected by the bug.
  2. Next, change your passwords for major accounts — email, banking and social media logins — on sites that were affected by Heartbleed but patched the problem.
  3. Wait for any sites that you may use that haven't patched to advise when they have done so. Once this has been confirmed please proceed with changing your passwords.

We have created a simple 8 point checklist of some of the most up to date information about the bug. If you have any other updates that you are aware of that we haven't included please add them to our comments section below.

Heartbleed Facts.

  1. As we mentioned already, heartbleed is not a virus but is instead a bug in the code. It is a security flaw that could potentially leave certain users vulnerable to online issues.
  2. At present only sites running OpenSSL are currently affected. SSL (Secure Sockets Layer) is used to encrypt data sent from you to any website you log into.
  3. There are currently four areas that are compromised. 1)Primary Data 2) Secondary Data 3) Protected Content 4) Collateral.
  4. Encryption keys are classified as primary data. This vulnerability could allow potential attackers to decrypt any past or future traffic to a protected service and to impersonate the service at will.
  5. User name and passwords are considered secondary data. This is probably the most frequently discussed topic associated with the bug. Users are encouraged to change their passwords in line with the service providers recommendations.
  6. Protected content relates to actual content handled by any vulnerable services. Depending on the service provider this can include financial data, private communications, documents or messages.
  7. Collateral relates to technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks.
  8. Unsure if a site you usually use for business needs or personal business has been checked and has had a fix installed. Go to www.filippo.io/Heartbleed/ and enter the sites URL to check if it is secure.

Heartbleed is a serious issue that has caused some confusion due to some uncertainty over the exact nature of the bug and what it affects. To ensure that you remain secure online it works in your favour to do some quick research online into whether the sites you visit, or that your company uses, has had a security update.