Thursday, April 17, 2014

EVERYBODY PANIC!


The newsfeeds were crammed a few days ago about the latest thing to panic over. It concerns a vulnerability named Heartbleed that was found in a bit of software used on millions of popular websites called “OpenSSL.” The flaw can reveal passwords and other sensitive information to scammers. OpenSSL is used by some very big names such as Yahoo, Bing, and many banks.

OpenSSL is a bit of encryption software installed on a website that creates a secure “tunnel” between you and whatever website you are transacting with. This tunnel is separate from the rest of the internet traffic and is encrypted so that any information transmitted between your computer and the website is supposedly invisible to prying eyes.
OpenSSL has been in use since 1998 with hardly a hitch. The good news is that the “good guys” discovered the flaw in OpenSSL and named it Heartbleed. The bad news is that this vulnerability has existed since 2012. The good news is that it was fixed a few days ago on April 7th. The bad news is that no one knows if the bad guys knew about this flaw before the good guys discovered it. So, therefore PANIC!

So should you
really panic? Of course! I personally think a good screaming fit good for the soul. But should you actually worry about it? Well, that’s a bit muddy. Yes, you should always worry about website security and you should change your passwords from time to time--despite the fact that almost none of us ever do. But this is mostly another case of overhyped news stories from news sources competing to panic the most people.

I would certainly urge caution as this is a widespread problem. In fact, it is probably as widespread as many other unreported problems. There is an easy solution to test whether or not a website is (or was) vulnerable. Simply visit www.lastpass.com/heartbleed, enter the name of your website, and it will tell you whether or not to change your password. It is important to keep in mind that that, if a particular website was vulnerable, you should NOT change your password unless they report that the problem was fixed. If you just willy-nilly change all your passwords and the problem hasn’t been fixed, you can expose your new passwords to scammers.

Speaking of things to panic about: We’ve gotten a rash of inquiries about the “expiration” of Windows XP a couple of weeks ago. Should you buy another computer? Should you be concerned about security? Are there other things you need to worry about? Answer: No, no and yes. I’ll address all those questions in my next installment. Until then, by all means have yourself a screaming fit.

No comments: