Heartbleed security vulnerability

I hadn’t been paying much attention to the Heartbleed vulnerability, but a colleague talked me through it and I thought I’d share what I learned.

By way of background, Mashable calls the Heartbleed bug “one of the biggest security threats the Internet has ever seen.”

From what I understand, passwords may have been compromised for many of the Internet’s most popular services, including Facebook, Google, Yahoo, YouTube, Dropbox, etc. (full lists from Mashable and CNET).

Even though all of these site have now addressed the vulnerability, there is no way to know whether passwords have been stolen and, if they have, when your account might be hijacked.

So, to be safe:

  1. I changed my passwords on all of those services
  2. I enabled two-step verification wherever I could. All this means is that if I want to log in to my Gmail or Dropbox or whatever else from a new device, I will have to enter a code that will be sent by text to my phone.

Other hints, since finding where to change your passwords is a hassle:

  • For Google, click on the top-right (on your picture) and then click on Accounts and then Security
  • For Yahoo!, click on the gear in the top right and then on “Change Your Password” under “Sign in and Security”
  • For Facebook click on the little arrow next to the padlock on the top right, and then on Settings.
  • For Dropbox click on your name and then Settings and then Security

It’s worth the 5 minutes it takes to do this.  And since you probably have the day off today, you have the time to do it.

4 thoughts on “Heartbleed security vulnerability

  1. Heartbleed is certainly a danger but don’t forget the stuff you willingly give up when you click ‘accept’ to any online EULA. Like for example this week Google has EXPLICITLY said;

    “Our automated systems analyse your content (including emails) to provide you personally relevant product features, such as customised search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.”

    OMG … Gmail is reading all my mail ! Well duh. Why do you think they offer it ? Google’s business model is indexing text, why do you think they offered Gmail ?

    Although I have no certain knowledge I will bet the same for Prezi, DropBox, Hightail, Evernote etc. Basically anything in the cloud that get’s ‘backed up for you, is not for your benefit it is for the benefit of the company providing the service. YOU are the product.

    Read a short article here http://www.theage.com.au/digital-life/digital-life-news/google-codifies-its-right-to-crawl-through-your-emails-20140417-zqvok.html

  2. Oh and do you like the nifty new market segment of ‘personal fitness devices’ ? When you login to sync your device, here’s the list of items in the EULA they track every time you sync.

    “Your first and last name, email address, postal addresses and payment information if you purchase a product on our site. Your Internet protocol address (“IP address”), browser type, domain names, access times, and operating system, photo, gender, height, weight, and date of birth, Detailed physical information based on monitoring your micromovements, including when you are asleep, when you are awake, when you are idle, and your activity intensity and duration, We also collect your precise location data when you use our UP mobile app, When you use the Jawbone Companion app we connect with and upload to our servers the address book and calendar on your device, When you use our apps we collect information about your device, including your device type, manufacturer, model, and operating system; your device ID; and the version of your app

    [I LOVE this next one]
    We may get Personal Information about you from other sources. We may add this information to the information we have already collected from you.

    We use the email address you register with the UP service and match it with information other people upload from their address books, Facebook contacts or through email address lookup.

    We may share information with a parent company, subsidiaries, joint ventures, or other companies under common control with us.”

    Uhh … no thanks. I returned it for a refund and went for a run in shorts and t-shirt.

  3. Sorry I forgot to add the above is from the Jawbone Up EULA, I’d guess the FitBits one is pretty similar.

  4. Thanks for the gentle nudge as I had put it on my to-do list and as things go, not yet made it a priority . . . as it certainly should be. Now that it’s behind me along with filing my taxes “on time” I’m going to relax with a hot cup of coffee and embrace a quiet moment. Happy Easter!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.