Security Alert: Heartbleed Safety Tips
The recent Heartbleed bug has caused quite a stir, and with good reason. One of the basic foundations of secure Internet use over the last two decades has been the ability to send and receive sensitive data by using encryption in the form of the “Secure Sockets Layer”, or SSL, which is the HTTPS:\\ that many of us are familiar with.
The recent bug disclosure has revealed that certain versions of this protocol (specifically OpenSSL 1.0.1) have had a bug since December 31, 2011 and active exploits, which allowed attackers to view the memory of affected systems, including the decrypted usernames and passwords of users, have existed since at least March 2014, if not before. The implications to Internet users everywhere are huge and it will take some time to determine the scope of what has happened.
Though there is no evidence of a breach within the Spokeo system, in the short term, Spokeo’s dedicated information security team addressed the issue immediately and we have also implemented increased security controls to mitigate this attack. Most of the high-traffic and sensitive sites on the Internet have done the same.
Because the vulnerability puts almost everyone at risk, below are some tips from Spokeo’s Information Security Manager detailing what you can do to ensure that your exposure to adverse incidents on the Internet is limited. Many of these suggestions are not directly related to the Heartbleed bug but are considered best practices to ensure protection of your online information as you go about your normal daily business:
– CHANGE YOUR PASSWORDS! But first make sure that the sites on which you are changing them have updated their systems and SSL certificates
– Ensure password complexity. Your chosen words should have at least eight characters minimum, (12+ recommended), and a mixture of numbers, letters, symbols.
– Use a password manager (Keepass, Lastpass) to control your passwords and generate strong, random passwords, which are different for each site.
– Use 2-step (aka two-factor) authentication, where offered, for every site where sensitive or personal data is used. “Google Authenticator” is an example of this, allowing you to turn on SMS code verification whenever someone attempts to log in to your accounts.
– Do not share your password with others or repeat it across different sites.
– Use trusted devices and networks when logging into any site that you consider sensitive. This includes email and shopping sites that store your credit card data!
– Ensure you’ve installed an appropriate anti-malware program and enabled both real-time protection and regular scanning on your personal devices.
– Make sure your operating system and anti-malware products are kept patched and up-to-date.
– Run your computer as a normal user, not as an administrator (i.e. elevate your privileges only when you need to install a program, etc).
– Be suspicious of: 1. links within email, especially from untrusted sources, 2. requests from your bank or other vendors for personal information when initiated from their end, 3. USB keys and other devices, especially if they are not new or discovered (at a conference, on the ground, etc), 4. Less-travelled or smaller-company websites (such as torrent sites, etc) which might not make security a high priority
For more information on protecting yourself online, see the United States Computer Emergency Readiness Team’s (US-CERT) website at: https://www.us-cert.gov/ncas/tips. I’ve also provided some additional information regarding certificate checking here.