Calls for action and tips for dealing with Heartbleed abound. But still, some experts say, be afraid. Continue to be afraid, or at least, vigilant.
The security flaw in OpenSSL, encryption technology used by nearly two-thirds of websites, has been called an “11” on a scary scale of 1 to 10. It can be exploited to steal personal and sensitive information. “Catastrophic is the right word,” well-known security analyst Bruce Schneier wrote Wednesday.
So experts are saying change your passwords on Web services such as Yahoo, Google, Facebook and more. (That’s according to a “hit list” by Mashable, which shows that even some unaffected sites are recommending changing passwords just in case.) People are being cautioned to wait to change their passwords after they’re sure the website has implemented the fix to Heartbleed. And as we’ve mentioned, experts including Schneier have recommended a tool for checking a website’s vulnerability to the bug. LastPass is doing the same.
But even after all that, and although there seems to be no evidence so far that the security flaw has been exploited and used to wreak havoc, it’s not just the websites we visit that we have to worry about.
Everyday connected devices also use OpenSSL, Tom Simonite writes for MIT Technology Review. Devices such as cable boxes and home Internet routers, anything that’s networked, could be vulnerable.
“OpenSSL is like a faulty engine part that’s been used in every make and model of car, golf cart, and scooter,” one security-company executive told MIT Review. Another expert said some of these devices are not likely to get as much attention as high-profile websites and big corporations’ servers. And while the personal information that can be harvested from such devices may be limited or seemingly irrelevant to outsiders, think about recent news about data collection: There’s a lot that can be inferred from metadata, especially when combined with other information.
And finally, in case you haven’t had enough, here’s another notable thing from MIT Review article — again, this is a bit scary: We might want to watch out for those who say they’re trying to help make sense of Heartbleed, because they might not be as well-intentioned as they claim.
Screenshot above from Heartbleed.com