ATI's Heartbleed Bug Page

  • ABOUT the BUG – Many links for more details about the bug

  • WHAT to DO – Detailed steps on what you need to do to protect yourself

ABOUT the BUG....


WHAT to DO.... (Detailed steps on what you need to do to protect yourself)

A. Determine all your Internet accounts, then change your passwords and delete cookies, but only after each Web site, Internet service, or app has confirmed they have patched the Heartbleed bug and generated new security certificates.

1. Determine ALL devices you use to connect to the Internet, including, but limited to: computers, tablets, smart phones, and smart TVs.

NOTE: the bug could potentially affect any home (or business) device that's connected to the Internet, including a Wi-Fi-enabled Blu-ray player, as well as things like smart thermostats, security systems, and lighting systems.

2. Determine ALL your Internet accounts.

a. For each device, determine ALL of the Web sites, Internet services, and apps at which you have an account. Be sure to include all sites for:

Banks
Cable, Internet, phone,
satellite, TV providers
Computer hardware &
software
Dating services
Email
Financial
Gaming
Government
Internet providers
Health and medical
Media / news / sports
Messaging
Movies videos, TV shows
Music
Password managers
Photographs
Real estate
Reference sites
Retail, shopping, and
commerce
Shipping services
Social networking
Taxes
Travel
Utility companies
Weather

to name a few, and ANY place where you have an account, and/or store or have shared sensitive information that you expect to be secure. Be sure to consider any app, Web site, or service that requires login credentials and goes to, or through, the Internet. Don’t forget those places that store passwords and log you in automatically. 

b. Pull out all your records of accounts and passwords.

c. Look at all the bookmarks and favorites in your Web browsers (Internet Explorer, Firefox, Chrome, Safari, Opera, to name a few) for the sites you commonly visit where you have an account.

d. Browse through your computer, tablet, and smartphone apps, programs, and applications, and make note of any that sync or share your data with the Internet, and make note of the accounts involved.

e. If you’re an Apple Mac user, look at the apps and sites listed in Keychain, which holds usernames and passwords. (Keychain is located in the Utilities folder within your Applications folder.)

f. If you use a password manager, take note of those accounts as well.

g. Android users can check on their device’s Heartbleed risk using Lookout’s Heartbleed Detector app, or use Bluebox Heartbleed Scanner to evaluate both the operating system and installed applications. According to Google, most gadgets that run its mobile operating system are safe from Heartbleed exploitation, except those that run Android 4.1.1. But Lookout claims that around 5% of Android 4.2.2 devices could be affected.

h. There’s also a Heartbleed app for Windows Phone, though it’s simply a URL checker.

i. Apple says its iOS (used in its iPads, iPhones, and iPod Touches) is not vulnerable to Heartbleed. But note that individual apps may be at risk.

3. For ALL Internet accounts, determine if the company involved was vulnerable to the Heartbleed bug. And if so, find out if they have they fully fixed things and reissued their digital security certificates.

The better sites, services, and apps might notify you in some form with an official announcement, somewhere With the lesser or smaller ones you will have to ask them.

But do not to wait for an official announcement. In fact, even many of the bigger, more popular sites are doing a lousy job of informing their customers. So find out on your own if a site, service, or app was vulnerable. If so, find out if the Heartbleed bug has been patched. The easiest way may be to simply contact the company involved and ask them:

  • Were any of your Web sites, services, or apps at any time vulnerable to the Heartbleed bug?
  • If NO, when and how will you let us (all your customers) know that your system is safe?
  • If YES, have you patched and/or updated your OpenSLL software to deal with Heartbleed flaw, revoked old SSL certificates, and generated new certificates and private security keys?
  • Have you since run security tests to verify you are no longer vulnerable?
  • Is it now safe to change our passwords at your site, service, or app?
  • If you have not yet fixed things, when do you expect to do so?
  • How will you let us (all your customers) know when you have fixed things?

As Charlie Russell said very well on this Web page:

"When evaluating a Wes site or Internet service that you use, consider the following:

  • If a company says it was vulnerable and is working to fix the issue — then be afraid, as it may still be vulnerable. Stay out of the website, because logging in can expose your passwords. Wait until the company says it’s safe, then quickly go in and change your password. Keep in mind that even if someone says there was no indication of a threat, one of the nasty aspects of this security hole is that it’s impossible to detect if anyone stole information using Heartbleed. By this time, though, I don’t think there will be many major websites with this status.[But it's all the vulnerable, unfixed non-major ones that could be trouble down the road.]

  • If a company says it used a vulnerable version of OpenSSL but fixed the problem, then change your password right away. Please use a unique password for each site, don’t share passwords with multiple sites, and don’t reuse old passwords.

  • If a company didn’t use the vulnerable version of OpenSSL then you don’t have any worries; the company wouldn’t be affected by Heartbleed. However, since this bug has existed for several years, you should learn more – did the company ever use this version?

  • If a company uses Microsoft web technologies instead of OpenSSL then it’s generally in the clear – Microsoft web technologies aren’t vulnerable to Heartbleed. The only concern here is if the company used OpenSSL in some portion of its website."

Be sure to use this Web page – ATI's Heartbleed List. It lists many popular and common Web sites, if they were vulnerable, and if you should change your password or contact the company.

There are also Heartbleed checker Web pages available, which check a Web site for the Heartbleed vulnerabiliy. Check these out, but do not put complete trust in them, as there is not agreement across them, and sometimes there are false results. If in doubt, contact any company you're not sure about. And be sure to enter the URL used when you login to a site, not just its main URL.

Recommended Heartbleed Checker:

  • Heartbleed Checker, from Last Pass - may be more accurate than the others, and/or it errors on the side of caution. If there's any doubt and the checker indicates the company used and has updated their OpenSSL software and certificates, change your password for a given site.

Other Heartbleed Checkers:

  • Heartbleed Checker, at Hostgator
    • A report of SAFE means the site was vulnerable to the Heartbleed bug but has now been fixed so it's now safe to change your password. (Remember, changing your password before a site is patched will not protect you and your information.)
    • If it reports the site "did not use SSL" – you do not need to change your password.
    • If the site is still vulnerable, your best bet is to monitor activity on that account frequently looking for unauthorized activity.

  • Heartbleed Checker, from Filippo Valsord - the result are unclear, because it will say a site is "fixed or unaffected" -- and that's misleading because if a site is fixed you should change your password, and if a site is unaffected then you do not need to change your password. So be safe and change your password when you get those results.

  • Heartbleed Checker, from Qualy - for the technicians.

To be ultra safe, don’t log into any site that is vulnerable until ATER it's been patched. Because Heartbleed is a live exploit, changing your password on an unpatched site is more likely to expose it than doing nothing. Avoid vulnerable sites until after you know they are fixed, and only then go to that site and change your password.

Adam Engst said, "Because the bug is now public, you should assume that any vulnerable Web site is under active attack, and if you have logged in since the bug was exposed, it’s best to assume that someone may have your password and potentially any other data you transmitted in that session. ... any online criminal or intelligence agency worth its salt could be automatically hoovering up as much information as possible (from vulnerable Web sites)."

And for any site you find still vulnerable, gently "yell" at them for not implementing the patch for Heartbleed already. (It's been well-known now since 4-7-2014.)

Note that although major vendors and websites are scurrying to fix this problem now, smaller apps, services, and sites might take more time. It will likely take a very long time for every website to do so. Or worse, they might ignore the problem altogether! One expert said, "It will likely take years before the Heartbleed threat can be considered largely neutralized."

4. Once you know a vulnerable site, service, or app has fixed the Heartbleed bug, and only then, go to that site and change your password with them.

(DO NOT change the password if a site, service, or app has not fully dealt with the Heartbleed bug. Because if they have not, the password you give them now could still become known by criminals, and you’ll have to go back a second time and put in (yet another) new password after the site or service has fixed the bug.)

DO NOT use the same password across sites. Always use a unique password at eash site. If you used a password on a vulnerable site, and then used the same password on a safe site, you still need change your password on the safe site, too. In fact, if you used the same password across more than one site, if any of those sites were vulnerable, the password at all those sites may now be known by criminals. So the passwords at all sites involved must be changed, as well!

When changing passwords, be sure to create good, strong ones. See here for password recommendations.

If you're not using a password manager, get a good notebook to store your passwords in a very organized manner, so they are easy to find and read when you need them. Store that notebook in a safe and secure location where no one (but you) can find it.

Expect the need to change your passwords again as more security flaws arise. (You should be changing your passwords on a regular basis, already.) And expect the need for greater security, better passwords, and additional security measures as time goes by.

5. Note – As one expert said, "You won't (really) be done until EVERY (vulnerable) site you use has patched OpenSSL and reissued its digital certificates. (And then you've changed your password at that site,) There's no question, it's going to be a pain to stay on top of all that."

B. Delete cookies, cache, and browsing history for all Web sites involved.

Do this from within all Web browsers (on all your computers and other Internet devices), and use a cleaner utility that handles this type of data for a secondary cleaning.

C. Monitor your online accounts

For at least the next several weeks, keep an eye on any of your sensitive online accounts (banking, Webmail, etc.) for suspicious activity.

D. Should you be worried about your bank account?

YES. Many big banks don't use OpenSSL, but instead use proprietary encryption software. But many smaller banks may be vulnerable – it's still unclear.

To be sure, contact your bank directly for confirmation that their online banking Web site is secure.

Keep a close eye on any and all financial statements to make sure there are no unfamiliar charges.

E. Fix / delete secondary data

Users may need to delete encryption keys and other data to be secure. Hopefully sites, services, or apps will instruct users about what needs to be done. But do not expect all sites that need to, to do this!

F. Other To Do’s

Watch your email for notification from affected sites telling you it's now to reset your password. But now that so far, companies have done a very poor job of notifying customers. But be on the lookout for fake phishing messages posing at legit companis and luring you to malicous sites. To be safe, always enter the site’s URL directly into your browser rather than clicking on the reset-password link in the email message.

Be very diligent about downloading and installing any software updates you may receive.

Be on the lookout for all kinds of junk email coming out offering magic solutions to all your Heartbleed problems. They'll all be spam and contain malware or pointing to sites that contain malware. Know that there's no quick or easy fix for Heartbleed.

Install a browser extension (but note these have rather limited capability):

  • Such as Netcraft (for Chrome, Firefox, Opera) to see if sites you're visiting are affected and get browser notifications.

  • Firefox users — unstall the free add-on to check a site’s vulnerability and provide color-codes flags. Green means go and red means stop. You can download it here. But do not expect it to be 100% accurate.

  • Google Chrome users — install the Chromebleed Chrome extension. Once installed, you'll receive a warning any time you visit a site that was affected by Heartbleed. But do not expect it to be 100% accurate

Check with the company that makes any router you are using to see if they are vulnerable or are having any problems.

At any Wi-Fi location you use, ask if they have checked with the manufacturer of their router to make sure they are safe. If they don’t know what you’re talking about, tell them to contact their IT department, then consider going somewhere else.

Read the Web pages at the ABOUT the BUG section above (and elsewhere on the Web) to learn more about Heartbleed flaw and how it affects us all.

G. These Web sites offer some advise on what we all need to do because of Heartbleed: