New Castle News

April 14, 2014

Heartbleed raises the stakes on Internet security

Mitchel Olszak
New Castle News

NEW CASTLE — My column last week dealt with Internet and related scams, along with steps people can take to protect themselves.

Today’s column could be termed Part 2 of that topic, albeit from a different angle.

If you are a regular reader and viewer of news — and especially if you keep track of what’s happening regarding the Internet — last week you were probably introduced to the term “Heartbleed.”

To make a long and extremely technical story short, Heartbleed is a term applied to a recently discovered flaw in a commonly used Internet encryption program called OpenSSL.

Many websites — supposedly hundreds of thousands — offering secure password logons use this program, presented to customers and users as a way to protect them from hackers and Internet thieves. But it turns out that for the past two years, the Heartbleed flaw has given hackers virtually unlimited access to passwords and other private information.

And apparently, it’s not just websites. Heartbleed may have affected firewalls and other security-related programs. The situation is still being assessed.

At this point, no one knows the extent of damage or infiltration, because those who exploit Heartbleed can do so and leave no trace. Perhaps in the coming months, we will get a better picture of what’s been lost and how such a security slip-up could occur.

But that’s mainly for the experts to sort out. For the average Internet user, the primary concern is self protection. And that probably means changing a lot of online passwords.

Unfortunately, the solution is not as simple as that. Security experts say it is pointless to change a password until the website involved has taken steps to protect itself from Heartbleed. Until that happens, changing a password is akin to handing it over to the hackers.

This means you will have to determine the status of each website before altering a password. There are sites online that can provide assistance with this effort, but I’m guessing scammers are out there already providing fake lists. Another option is to contact sites directly to determine their status.

There are authorities online that can offer better guidance than I can on these points. Just be sure the information is from a reliable and knowledgeable source. Don’t rely on the urban legends spread by babbling bloggers.

When you do go to change your passwords, take this opportunity to make them secure. (Hint: The password “1234” won’t protect you.) Your passwords should all be different and sufficiently complex and even random to help thwart hackers and scammers.

And we all should take the time to review our bank accounts, credit card statements and other financial sources that could have been endangered by Heartbleed. Anything unusual warrants additional action.