Last week, on Monday, April 7th, a major vulnerability in internet security was made public: the Heartbleed bug. Due to a programming error in a widely used encryption software, a vulnerability opened up that could have been exploited by hackers. While there is no concrete evidence for data theft yet, it is possible that credit card and social security numbers, confidential business documents and private emails have been compromised.
The good news is, the bug has since been fixed, and major web companies are busy right now working on the issue and investigating if data has been stolen. Here at ReadyForZero, we immediately looked into the issue, locked down our most sensitive features until we made sure that everything is secure, and restored our full service within 24 hours (Read more here).
If you are interested in the technical details, this website gives a good overview.
Why should I care. Isn’t this just another security warning I can safely ignore?
Not exactly. The bug affects technology that is used on about two thirds of the internet, which makes it likely that you have visited a website or used an online service that was not secure. What makes it even worse is that Heartbleed has gone undetected for over two years.
This means Heartbleed is is an exceptionally impactful security vulnerability that no one should take lightly. Computer Security expert Bruce Schneier called Heartbleed “catastrophic” and stated: “On the scale of 1 to 10, this is an 11”.
Is my data at risk?
The nature of the Heartbleed bug is that attacks leave no trace. If data has been exploited or not can simply not be answered at this point, but will be answered in the future when the effects show. Given that the Heartbleed vulnerability, although it became public only a few days ago, has been around for over two years, there has been plenty of time for potential attacks.
So the answer is: yes, your data was at risk.
Ok, so what is the worst case scenario that could have happened to my data?
Imagine you’d kept a neatly hand-written list with all your passwords, credit card information, and social security number in a big, expensive safe at home. Plus, your most private letters, photos and very important business documents. Good thing you locked them away safely, right?
But now you’ve discovered that for the past two years the door was open for brief periods of time and someone could have peaked in without you noticing. Maybe you haven’t noticed anything yet, but in theory, it is possible that someone…
looked at your bank information
looked at your social security number
saw other private data
That sounds scary. Is there anything I can do to protect my data?
Immediately after the bug became public, the most secure advice was to use the internet only very carefully for a while: avoid any communication between you and a web server, especially when sending sensitive data like passwords, your social security number, or confidential information that simply no one should read. But since living without the internet for longer than 5 minutes is not an appealing option for most of us, here are our alternative recommendations:
1. Avoid logging in to websites that have not resolved the issue
… or haven’t given an update on the state of their security. Instead contact their customer service for information, and urge them to address the issue.
2. Update your passwords
Make sure that the website has addressed the issue and is not vulnerable. Here is a list of websites that is being updated frequently. Once you have verified that, go ahead and pick a new password. On most services, changing the password is a quick and easy process. For example, start with your ReadyForZero password – it is safe to update right now!
Most urgently, protect your email account: if anyone gets hold of it, they would gain access to all other services that are registered under that email address, and could easily pretend that they are you.
3. Beware of Phishing Attempts
Be extra careful when you receive emails warning about the Heartbleed bug that prompt you to change passwords. While many companies act responsibly and inform their customers about the vulnerability via email, it can be expected that cyber criminals will try to take advantage of the situation. Be sure you don’t get fooled by them. The way phishing emails work is that they look almost exactly like a legitimate email, except that the links take you to a false website asking you to enter your password and username. So to be safe, instead of clicking on the links in the email, type in the website’s URL in your browser.
4. Enable Two-Factor Authentication
“Two-factor authentication” is an extra layer of security that is stronger than using just a password. It means you need to respond to a text message on your phone before you can access a website. Many websites offer it. Here is a great list of websites with links to their settings pages and detailed instructions for many of the major websites.
5. Manage Your Passwords
This is a good time to work on your overall password hygiene: make sure you use passwords only once for each service, change them regularly, and make them hard to guess (hint: myfacebook123 is not a good password). Here’s a great guide on how to pick secure passwords.
If this sounds like a lot of work, we’re sorry to say that yes, it is. Luckily, there are tools out there that help you to manage your passwords, such as Last Pass or 1Password. They were not affected by the Heartbleed vulnerability and are safe to use right now.
6. Don’t Panic!
While this bug is very severe, so far no exploits of Heartbleed have been made public. If there’s a positive outcome of all of this, it’s that security teams around the world are pushing updates and improving their security while they are at it, plus: After taking steps 1-5, you can pat yourself on the back and rest assured that you are surfing the internet now much more secure than before.
What did ReadyForZero do about it?
As soon as we learned about the Heartbleed vulnerability, we responded: Our main site was moved to non-vulnerable servers, we generated new encryption keys, and completely disabled billpay and credit score features. Within 24 hours, we applied the fix to all parts of our site and restored full service. We explained our actions in more detail in this post.
We hope this post helped to shed some light on a complicated technical issue that is relevant for every internet user. If you have any further questions about ReadyForZero’s security, please don’t hesitate to email us at firstname.lastname@example.org. Be safe out there!