At any time in the last two years, have you sent a credit card number to an online retailer? Used Gmail? Logged into your bank account's website? Uploaded your tax return to the IRS? If you answered yes to any of these questions, you could already be screwed. Welcome to the future.
The Internet's been hit by a serious bug. A very serious bug. It's called "Heartbleed" and you need to be at least a little worried about it. It affected Google, Yahoo, your bank, and an awful lot of the other sites that you were absolutely confident were secure.
What is it? Well, there's a website about it — The Heartbleed Bug — but instead I suggest that you start by reading completely the article over at Tidbits by Adam Engst: "The Normal Person's Guide to Heartbleed Vulnerability." Best thing I've read anywhere, although this xkcd comic explains the basic problem pretty well.
Although the bug's been there for two years, the world at large only became aware of it in the last day. I learned about it today by email from AgileBits, the geniuses that make 1Password. 1Password is the password protection program that I have recommended to my clients for a while now. There's a post on their blog about Heartbleed.
Heartbleed: Imagine no SSL encryption, it’s scary if you try
What do you do?
That seems to be a bit tricky.
Adam Engst advises doing nothing, unless you know both (a) that such-and-such a site was compromised and (b) that that site's vulnerability has been fixed. Otherwise, says Engst, changing your password could be worse than not changing it. Why? Because the vulnerability is exploiting info that is in the memory of (ahem) "secure" servers. It's my understanding that the info that "bleeds" out when the bug is triggered is recent info.
I am definitely not an expert in this field, but my sense is, accounts that use two-factor authentication should be pretty safe. And you should be using two-factor authentication whenever possible. I use it on my bank accounts, most of my credit cards, on all my Google accounts, Flickr/Yahoo, Dropbox, and elsewhere.
But I'm using a Mac!
Doesn't matter, much. This is an Internet bug, not a desktop OS bug. Apple's web services apparently were not compromised, because they don't use the version of SSL that has the Heartbleed bug. But if you open up Safari and log into your bank, you may be vulnerable even if you're sitting at your Mac and wearing your bicycle helmet.
The bottom line is: Start paying attention to your accounts. Enable two-step authentication on your important accounts, if you haven't already. Several years ago, my very first Gmail account was taken over — and I never was able to recover it. Very recently, my bank (Chase) noticed that somebody was trying to use my debit card in North Carolina, while my wife and I were in San Diego. In the case, Chase's security measures caught the malefactor and no harm was done, well, other than my having to be without a debit card for five days while they mailed me a new one.
I love this quote over at Ars Technica by Troy Hunt, who is an expert in this field: "Ultimately, this boiled down to a very simple bug in a very small piece of code that required a very small fix.… Now it just needs to be installed on half a million vulnerable websites."
By the way: The Canadian Revenue Agency has shut its sites down, but here in the US, the IRS says that it's not affected by Heartbleed. You can believe them if you want to. Call me paranoid but I may mail my return this year for the first time in a while.
"Ultimately, this boiled down to a very simple bug in a very small piece of code that required a very small fix.… Now it just needs to be installed on half a million vulnerable websites." (Security expert Troy Hunt, quoted at Ars Technica)