April 11, 2014

Help for Heartbleed Heartburn

Have you heard about the Heartbleed Bug in the news? You may have seen its logo plastered across your screen at some point. I wonder if sales of antacid are on the rise right about now because I bet it's causing a lot of heartburn lately. If you are not overly concerned with this news at the moment, I'm not here to send you into a panic, but identity theft can really take its toll if you're not prepared. I know from experience and it's not the sort of thing I wish on anyone.

It's a whole lot easier to float down the river in a boat without a hole in the bottom of it! Managing your login credentials and maintaining good passwords helps you stay aware and on the lookout for anything nefarious. I know too many people who use the same password, or a variation of it, over and over again because when given a choice between security and convenience, most will choose the latter.

If you have a credit card, you should be used to the idea of change by now. Your credit card has an expiration date on it and each time they issue a new one, even though the number may remain the same, the security code on the back changes. Websites or software products with login screens like those used for banking, payroll access, insurance, healthcare, etc. require a periodic password reset in order to access it, but there are a lot of websites that do not require this and so people become complacent. Of course changing your password is not the be-all-end-all, but it certainly helps to thwart attackers. You lock your home and car while away, so why leave the all the keys under the door mat? A thief will likely check there first. If it becomes public knowledge that you stash your keys under the potted plant next to your door mat, ya might want to change your locks and start keeping your keys a little closer from now on.

I'd like to take this opportunity to educate you on how you can strike a balance between security and convenience, so pop some of your favorite flavored chalk or antacid and here we go:

Get a Password Manager
Now, I just told you not to use the same password for each site which I know sounds like a tall order, but what if I told you that you could memorize just ONE really, really good master password, hide it really, really well and let that be the key that securely stores and unlocks all the other keys? Doesn't that sound much easier than having to remember or write down a bunch of stuff only to forget where you put it or maybe later not be able to tell if you wrote the letter 'O' or a zero. Six times over? Remember though, keep this master key close because it's the key to your city. If you suspect it has ever been guessed, change it and guard it closer.

The app I've chosen to invest my security in over the past several years is 1Password by AgileBits. It has worked so well for me and my family that I am using it with more and more of my clients. It saves so much time and energy when they put it to use. When threats or security maintenance protocols create the need to change passwords, using this password manager makes it easier to document and store the new information, securely. Everything you enter into this software is for your eyes only unless you decide to share it with someone you trust who also has 1Password so they can lock it away in their own vault. This is extremely helpful for use in families and between colleagues. You can use iCloud or your own secured Wi-Fi connection to sync between devices so that your information is not intercepted while syncing.

At the time of this posting, there is a sale on 1Password and I highly recommend that you have the latest version. If you still have the older version, now is the best time to upgrade because they've added a lot of new features. There is one app that will work on your iPhone and/or iPad and another app that works on your Mac. You sync them with each other and all your information is secured on all your devices! While both pieces of software are on sale right now, it's really worth the price when you see what all it can do. The developers are constantly polishing this app and they stay on top of all the security risks so you don't have to. All you have to do is click these links and the App Store on either iPhone/iPad or Mac will take care of the installation process. It's very easy.

1Password for iOS on iPhone/iPad/iPod touch

1Password for Mac OS X

Learn How to Use Said Password Manager
Once you've installed 1Password, my good friend, Don McAllister, at ScreenCastsOnline has kindly published his instructional video tutorial for free. You can watch it right here. If you like his method of instruction, you should really consider subscribing to his other videos! A free trial membership is available.

Lists of Sites That Have Been Affected
If you've ever signed up for any of the services listed below, you need to change your password. It doesn't matter if you signed up and then never used the site again. If you're like a lot of people, you may have used the same password there that you use in other places. That makes you more vulnerable because that's what hackers will assume when they target you. Just go to the site and change it anyway. Be sure to use the auto-generation tool in your password manager so that you're using a password you'll never use anywhere else. Don't worry about memorizing it because you'll just copy and paste it when needed. If your password is ever extracted somehow, like in the case of a bug like Heartbleed, the fact that you can change it and update your login credentials more efficiently WILL keep you safer. If you plan on abandoning an online service, just be sure no personal or financial details like a credit card are linked to the service in question and if you really do not plan on using it, maybe now is the time to close it off.

Here are some of the big ones I could find where you should change your passwords because they have been patched by now:

Intuit Turbo Tax

If you use any of their related services like Gmail or Yahoo Mail, for example, you should change your passwords at their websites first and then don't forget you need to make that same password change in the settings on all the devices you use to access that service. For example, if you change your password for Google's Gmail service, then you need to plug that same new password into the Settings section on your iPhone, iPad and/or Mac. Using 1Password makes this easier because you just copy and paste it into the boxes calling for it.

Sites With More Complete Listings:
The Heartbleed Hit List: The Passwords You Need to Change Right Now
Here’s A List of Websites Allegedly Affected by The Heartbleed Bug (updated)

What is the Heartbleed Bug?
Here are some links to easy-on-the-eyes articles if you want to educate yourself further on what this bug is and why it's important to act. It's a lot of information to digest and even then it still might not make sense, but I tried to pick articles that explain it a little easier than most.
Heartbleed, the new OpenSSL hack: How does it affect OS X and iOS?
Heartbleed: What You Need To Know About The Security Fiasco In Three Minutes Or Less

Check Your Router
Apple made a statement quoted here saying Apple products are not affected. If you have an Apple-branded router used to connect to your modem , e.g., Airport, Airport Extreme or Time Capsule, it is not affected. Linksys routers are also not affected according to their statement issued here. I'm not yet sure about Netgear or other companies. If that changes, I'll update this post. If you use a router other than those who've already issued statements to get your wireless devices connected to the internet, contact the company who makes it to find out if they've issued a patch. If so, change your passwords.

There is a password used to manage the device and then there is also a password used to connect to the device. You may have given the latter password out to family and friends who have visited your home and connected to your Wi-Fi. You'll need to give them the new password when they visit next time. I've found it helpful to write or print out the password (so it's legible) and tack it to the fridge or someplace accessible so you can just hand it to your guest and they can enter it in their device. (Just don't forget to put it back!) If the manufacturer has not issued a statement saying their product was affected, just wait. Unless you registered your warranty with their site, you'll need to check this on your own as it's unlikely you'll get an email about it.

Additional sources for this post: