Tech Talk: A HeartBleed Update

By Brian Boston

What a Difference a Week Makes – HeartBleed

The dust has settled on the alarm around HeartBleed, the bug in secure web connections between your computer and many of the web sites through which we shop, bank, and communicate. If you haven’t taken action to protect yourself, now is the time to do so.

What have web sites been doing to protect us?

Most sites have been patching their systems to eliminate the bug in SSL (or https-type) connections. As I mentioned in last week’s posting, the number of vulnerable sites among the top 10,000 sites has dropped from 630 pretty quickly to below a hundred. That should protect all of us going forward.

The next step many sites are taking is encouraging you to change your passwords on their previously vulnerable sites. This is a precaution to ensure your safety in case your current password or personal information was taken before the site was protected. I have seen notices posted on sign-in for various sites. Some have also be sending subscribers email either indicating no vulnerability was present or encouraging a password change.

Do I really need to do anything?

Yes. Do not wait to be notified, especially if you have a Dropbox, Facebook, GoDaddy, Google, Flickr, Netflix, USAA, Yahoo, or YouTube accounts. Those are sites that have indicated the need for a password change.

Aside from these sites, you can find out where passwords should be updated a few ways:

• Mashable recently updated their list of sites that have issued statements on the topic and whether you should change a particular site’s password or not.
• Use security consultant Filippo Valsorda’s testing results to compare which of the vulnerable sites he found on the 8th of have been patched (an important step before changing your password on a particular site).
• Filippo’s testing site can be used to check your site’s vulnerability.

Bottom line: if there is any concern about your web site or web site account, change your password.

What about network routers? I heard they might have been affected.

Cisco and Juniper, two major networking manufacturers, have reported that some of their business-class routers have the bug and have fixes (Cisco’s list, Juniper’s list). This problem appears to be limited to them.

Linksys (formerly owned by Cisco until its purchase by Belkin last year) has said they don’t have the vulnerability. No other consumer routers wireless or otherwise have indicated a problem.

What this about Android?

Yes, a older version of Android (4.1.1) is reported by Google to have the bug on various tablets and smartphones. A fix has been issued to the device manufacturers who will be rolling it out as an update to the affected devices.

4.1.1 is an early version of Android’s Jelly Bean still used by around 34% of Android device users. You can check your version of Android, by going to Settings and scrolling down to “About device” at the bottom of the list. If you tap “Software Update, ” you can also check if for any updates to your version of Android.

Alternatively, you can install the free Heartbleed Security Scanner from mobile security developer Lookout to check your device for vulnerabilities and offer recommendations.

~~~~~~~~~~~~~~~~~~~~~~~

Do you have a follow up on this topic or technical question on that needs to be answered or explored? Please share it with me at brian@bostonlegacyworks.com. Your question may show up here on Tech Talk.

On Sunday, April 27th, Brian will be leading another Computer Q/A at The Commons session at Third Place Commons in Town Center at Lake Forest Park. The 2:30pm session topic is “Making Sense of Social Media.” More information at thirdplacecommons.org/calendar.