This weekend, as I am sure many other companies did, we spent a lot of time thinking about how best to tackle the Heart Bleed bug that has shocked the internet world. For those of you who have been living in a cave for the last week, this is the bug in the OpenSSL encryption system that can give hackers a way to grab your username and password. It is estimated that a fifth of the world’s websites could be affected by this and so having a strategy to protect yourself and your business is critical.
Simply going online and changing all of your passwords may not be the best solution, at least until the affected sites have updated OpenSSL to the latest bug fixed version. However it is important to know what sites have the bug and this is easily achieved using the Google Chrome browser and a new extension called ChromeBleed. If you do not currently use Chrome as your browser, now might be a good time to give it a try (free download at Google.Com) and then you need to go to Settings>Extensions and search for “ChromeBleed”.
Once you have installed this extension, a small Heart Bleed logo will appear on the address bar and the extension will automatically (in the background) check sites that you visit and pop up a warning if the site is still using a version of OpenSSL with the bug – see bottom right corner in image below.
Knowing which compromised sites you have visited allows you to warn the company whose site is affected and then monitor when they fix the problem. You have to assume that any password used on that site is now compromised and once they have fixed their site you should change the password you use on that site.
Check all of the sites that you regularly use which have a secure login and if the ChromeBleed warning does not pop up, then log in and change your password.
This morning, whilst writing this article we found one of our suppliers websites was affected and they were unaware of the problem until we contacted them, so better to always warn companies and not assume that they know.
Hopefully some good will come out of this Heart Bleed saga and it will act as a wake up call to all those people that use the same password on every site. Don’t do it ! Yes it is a pain, but you are seriously multiplying the potential damage that could occur to your company if your password is compromised.
Finally, once spammers and hackers wake up to this Heart Bleed “opportunity” I suspect that there will be lots of bogus emails telling you to visit a site and change your password. Don’t what ever you do, click on any links in the email. Make a note of the website and if it is a site that you use, go there normally by opening your browser and typing in their main website address. Now go to the login page, log in as normal and change your password.