A bug that will give you a massive Heartbleed
Heartbleed: Security Flaw in OpenSSL. What does that mean?
Up until recently, the average internet user had never heard of the word Heartbleed with respect to computer security, even more so, OpenSSL. It now sweeps the internet, is one of the largest trending topics on all social networking sites, and is the top story in the news. I hate to put a CNN spin on this, but it is terrifying!
In simple terms, it leads to the leak of information passed between the server and the client. It allows the hacker to steal user names and passwords, instant messages, emails and basically anything stored in your computer memory. Furthermore, the hacker can eavesdrop on communications, steal data from service providers and impersonate users.
A team of security engineers at Codenomicon and from Google Security discovered the bug. The OpenSSL is the most popular open-source code used for encryption on the internet. This code is used by;
- More than two-thirds of the active websites on the internet.
- Many mobile apps
- Email and chat servers
- Virtual private networks
- Hardware devices such as routers
As a user, we have never been so vulnerable before. What can we do to protect ourselves? We wait. Each service provider affected is required to first fix the flaw, secondly swap out potentially compromised security certificates for new ones, and finally notify the users. Changing your password before the fix is pointless, as Heartbleed will be able to see your new password too.
Pinterest was the first service to contact me with regards to changing my password. I received this e-mail message on my Android phone; both the phone and Pinterest are exposed to Heartbleed. I logged onto the popular interest site using my MAC and promptly changed my password. I waited, but nothing really happened. That is the crazy thing about this Heartbleed bug, it can attack your computer memory without you knowing it. There is no trace that it was even there.
Mashable put out a list of popular networks and websites that are affected, and the action required by you. Ironically, all the big guys are on the list, as they have generally upgraded to the latest encryption. The list includes the sites like;
Canadian Revenue Agency
Also affected and not on the list are Android, Canadian banks, and the CRA. During this busy tax time, the CRA removed public access to the site temporarily as a precaution, and users were unable to file their taxes using NETFILE. This security measure was necessary to protect taxpayer information and allow the agency time to upgrade the encryption. Unfortunately, the CRA announced that Social Insurance Numbers of about 900 taxpayers were removed from their systems. Measures will be taken by the CRA to help protect those individuals affected from this breach. The Minister of National Revenue also announced an extension to the filing deadline for taxes beyond April 30, 2014 for “a period equal to the length of the service interruption,” therefore; individual returns for 2013 filed by May 5th will not incur penalties or interest.
For now, you might want to stay away from all sites identified as ‘vulnerable’.
On a go forward, you are advised to change your passwords on a regular basis, use strong passwords, and never to use the same password across multiple sites.
Next step, call your broker at McDougall Insurance & Financial to find out if you have identity theft on your home policy! If you have commercial insurance for your business, call your broker to talk about cyber-risk insurance to protect your business and your customer’s information.
Call McDougall Insurance & Financial at 1-800-361-0941