Heartbleed Bug: What You Need to Know and Security Tips
What is Heartbleed? Symantec is continuing to track this OpenSSL bug discovered recently and its implications for consumers. Symantec has created a site devoted to Heartbleed for further information.
Watch to learn more:
"Heartbleed" a name that security researchers have given to a serious bug found in a very common piece of software used by many websites. The software in question is called OpenSSL and is used to encrypt the information that you send to and from websites, such as your login name and password or other sensitive information. You can usually recognize when websites encrypt information when you see a little closed padlock near the address of the website in your browser.
Unfortunately there are many different software implementations used to implement this encryption and there is no easy way to know whether or not a given website is running the particular version of OpenSSL that this bug is present in. We believe most large websites reacted quickly to the news of the ‘heartbleed’ bug and fixed it, however it will likely take a very long time for every website to do so.
Here are some tips to keep in mind over the coming weeks and months to help ensure the safety of your sensitive information as you surf and interact online:
- Do not use the same user name and password across multiple sites. Why so? Well think of your password as being a like a door key. In life in general it would be really convenient if we could all use one single key to open every door in our lives… our house, our car, our office etc. Our key-chains would be nice and compact. However, losing that one key to a criminal would also mean that they could potentially freely access every door in your life. Using the same user name and password for every website you use is the online equivalent of having the same key for every door. So although the large websites you use likely reacted to the ‘heartbleed’ bug very quickly, smaller ones may not have, and if you used the same username and password, then if a smaller website you use is compromised that same username and password might be used on one of the larger websites, even if they have already fixed the bug. If you need to access many websites, as most of us do these days, we recommend using a software password manager. Here is a link to ours: Norton Identity Safe, but there are many others on the market today too.
- Make sure you avoid simple passwords. Use a combination of upper and lower case letter with a few numbers sprinkled in is a good start. Also the longer the better a password is. Here is a link to a password generator that you might find useful.
- Be especially on the watchout for scams. News like that of ‘heartbleed’ is music to a scammer’s ears. They take advantage of events like this by sending out fake email messages asking unsuspecting users to ‘change your password because of the heartbleed bug’. Such messages are known as phishing messages. They can be very hard to spot. Although Norton products are good a detecting and blocking them if you do get a message asking you to reset a password, we recommend that you don’t click on any of the links in the email but rather navigate yourself to the website by typing the address into your browser by hand.
- Keep an eye on your sensitive online accounts. It’s always a good practice to to this anyway, but particularly now, pay special attention to online accounts (banks, email etc), as well as bank and credit card statements to check for any unusual transactions
Finally, if you are looking for something a little more technical on the background to this bug, we’ve got a lot more detail in a blog entry written up by one of our security researchers here: Heartbleed Bug Poses Serious Threat to Unpatched Servers