Internet and Security Updates
Heartbleed Followup
Lest you think the Heartbleed concerns were merely a false alarm: 4.5 Million Patient records were stolen by hackers, presumably due to the exploit.
The hackers took advantage by finding a device that had not been patched, exploiting the bug in order to steal user credentials. They used this data later to login into the network of Community Health Systems and captured patient names, phone numbers and social security numbers.
If you are concerned that your information might be among what was stolen, our recommendation is to invest in an identity monitoring type program or to lock down your credit report so that credit cannot be opened in your name.
As we’ve said before… Update your passwords often. Keep them unique – do not use the same passwords for every online account you own. Make them challenging – include numbers, letters, different cases, and symbols if allowed. Use password management software to keep track of all this. And it is always a good idea to keep an eye on your credit report.
More Data Theft from Stores
Unrelated to Heartbleed, SuperValu, the Minnesota parent company of Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save, and Shoppers Food and Pharmacy, Albertsons, Jewel-Osco, announced that 180 stores in North Carolina, Maryland, Virginia, Illinois, Missouri, North Dakota, and Minnesota were affected. The stores are reporting they quickly fixed the security breach and it’s safe to use credit cards in their stores again.
There’s no sign yet of the data being sold on the black markets. Credit card data is said to be selling at $20-100 per card, often purchased in bulk as one-time use.
It’s always a good idea to keep track of credit card statements; credit cards carry theft protection, and if theft is detected they should be contacted quickly as possible. It’s also wise to prepare for data and identity theft in advance, with the assumption that it will eventually happen. Make a plan of action: Contact credit-reporting agencies, get a copy of your credit report, and in the case of identity theft, file an identity theft report.
Heartbleed
What Heartbleed is, and What You Should Do
What is it?
Heartbleed sounds scary by the name alone. It’s all over the news, but just what is it? What should the average Internet user do about it? Heartbleed is complicated and involves some Internet security understanding, but here we’ll strip out most of those details and get to the essentials.
Heartbleed is a bug – a mistake in security code – that has potentially allowed in-the-know hackers to exploit the problem and grab unencrypted usernames, emails, passwords, and other random sensitive information a bit at a time through small packets of data, nicknamed “heartbeats.” The bug has been around for two years, but it was only just discovered by companies Codenomicon and Google.
Who is Affected
Any “secure” website using the security software OpenSSL which had the buggy code (an update within the last two years) could potentially be compromised. Nobody knows for sure if they HAVE been compromised. It is possible that up to two thirds of the web could have this bug. There are a lot of unknowns.
Some big websites may have been affected: Yahoo, Google , and Facebook. Though these websites have already updated their software, they suggest that users still take the time to change their passwords.
Some websites never used the vulnerable software: big banks were less likely to use the open source software, Microsoft said it was unaffected, and LinkedIn seems to have been safe.
Why Should You Be Worried?
You should be worried because if someone has exploited the bug, your usernames, emails, passwords, security questions, and other sensitive information could have been available to malicious users for the past two years. If you use the same passwords (or similar passwords) on multiple sites, this could give them access to those other websites as well.
If a website with the compromised code does not update, they are still an open gate. If a website has updated but you have not changed your password, someone might have that info to use when they see fit – if someone has grabbed that info in the past, they still have it.
We don’t know how extensive the problem is – entire website databases could have been compromised. The good news is that the bug was brought it to our attention rapidly after it was discovered, allowing word to get out before the bug was exploited on a wider scale.
Recommendations
There is only so much a user can do. The biggest problems lie on the website side of things, and it is the responsibility of those website owners to update their keys. If the website has not run updates on their side, the bug can still be exploited even if you change your passwords.
Most big companies updated their software right away and recommend changing your passwords. Unfortunately, not all companies are being clear about whether or not they were vulnerable to the problem, and if they have since patched the bug.
Our recommendations are to do the following:
- Update your passwords on all of the websites you use, especially ones where you store sensitive or personal information.
- Make sure all your passwords are different – do not use the same one for each website.
- Be prepared to change your passwords again in case a site has been slow to update.
Best Practices Going Forward
It’s hard to remember many complicated passwords (and complicated passwords are the most secure), so we recommend using a program like LastPass or KeePass to keep track. While nothing is entirely failsafe, they are a lot more secure than trying to remember many simple passwords or even worse, using the same password everywhere.
It is also good practice to update your passwords periodically.
When, Not If
The internet is complex and only getting more so, and for better or worse much of it is unregulated. When it comes to any kind of security breach or data theft, expect that something could potentially happen, and work out a plan for what to do when it does.
Follow Appletree Mediaworks on Twitter or like us on Facebook. Visit our website for more information on data and security and what to do about breaches, and about what’s happening on the web.
—–
Common Sites You Should Change Your Passwords For
Password Changes Suggested (They have updated their SSL)
Facebook
Tumblr
Google/Gmail
Yahoo
Turbotax
Dropbox
SoundCloud
Okay/Don’t need to change passwords*:
LinkedIn
Amazon
AOL
Outlook/Hotmail
Paypal
Target
Most big banks
Taxes/Accounting sites (except Turbotax)
Evernote
Unclear: (Have not made an official statement – they claim to be okay, in some cases)
Twitter
Apple
Ebay
Netflix
* It can’t hurt to change your passwords anyway. Just be prepared to do it again if necessary.
Technical Details of Heartbleed: http://heartbleed.com/