Unless you’ve been vacationing on a tropical island for the past few days, you’ve likely heard of the “Heartbleed” bug, a computer security vulnerability that can reveal the contents of a server’s memory and expose private data such as user names, passwords and even credit card information.
The Heartbleed bug exploits a flaw in the Secure Sockets Layer (SSL) of popular open source software called OpenSSL. The flaw, discovered on April 7 but apparently in existence for two years, means that attackers can copy a server’s digital keys and use them to impersonate servers to decode communications from the past (and, potentially, the future).
The Canada Revenue Agency has become a victim of this bug. The Better Business Bureau (BBB) suggests the following recommendations to protect yourself from the Heartbleed bug:
For businesses: BBB recommends that businesses immediately check to see if their website(s) use Open SSL or have been vulnerable. One way to check, recommended by tech/media website CNET, is a tool developed by a cryptography consultant.
For consumers: CNET has also published a list of the top 100 websites, which it is updating regularly as it checks for vulnerabilities and repairs. (http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/) Consumers can check this list or use the tool mentioned above to see if websites they regularly use are free of problems, or have fixed vulnerabilities.
It’s also imperative that consumers change passwords on all sites, particularly those that retain personal identifying information. Change your password after confirming that the site is not vulnerable or has fixed its SSL.