A flurry of information is coming out about the Heartbleed vulnerability that is affecting Internet websites everywhere. As the Information Security Officer at the Institute for Advanced Study (IAS), I worked closely with the Computing Groups across our campus to secure our services.
The question that I'm getting asked now, is "What can I do to protect myself?"
Everyone's situation is different, so there is no 100% correct answer to this question. I thought it might be helpful to tell you the steps I took in response.
The news is correct, you should protect yourself by changing your password on sites that were affected. But, how do you know which ones to do it on, and have they been patched to allow you to safely reset your passwords? The last thing you want to do is change your password while a site is still vulnerable.
So, here are the steps I took.
- I changed my IAS passwords. At the Institute, I have two main passwords that were the most critical to change.
- I updated my new passwords in my Password Safe.
- I started looking at my accounts on various Internet sites. PNC Bank, for example, has a large banner on their homepage. If the site said they were patched and ready for me to change the password I did. If you use LastPass you can see the status of some sites here.
- I updated my computer software and my mobile devices. This included the operating system, web browsers, flash, java and email clients. Heartbleed has exposed some vulnerabilities in many aspects of how we do computing that software vendors are working hard on updating. Don't let your Internet devices fall behind.
- I look for any odd activity on my IAS and Internet accounts.
- I continue to be wary of emails, phone calls, text messages and social network notices about this attack.
This is a bad bug, but it isn't the end of the world. If you follow the steps I followed, you have removed a large percentage of your risk.
Steps I take everyday to protect myself
- If you don't utilize a secure password safe, now would be a great time to look into one. They are free, easy to use and allow you to use unique, strong, secure passwords on all the sites that you log into, without having to remember them.
- If you are still running Windows XP, here's some more information about your risk.
- Update your computer. This should be a regularly scheduled part of your week.
- I always diligently check my critical services, Institute accounts, banking, credit card, tax sites, etc., for signs of compromise. If I saw a weird transaction, or someone tells me that I posted something out of the ordinary on Twitter, or they received a spam from me, I look more closely at the service. Many times, this will be enough for me to change the password. This is really easy with my Password Safe.
- There are some individuals who like to take a moment like this and turn it into a method to exploit people when they are vulnerable. Only trust messages that you have verified, by going to a website, calling a known help number or talking with your support circle. Acting on a random, unverified email will compromise you just as quickly, if not more, than doing nothing.
Hope this helps, and safe computing!