By now, I’m sure you’ve heard of the Heartbleed Bug and are in the process of taking steps to protect yourself. This is not a virus or malware but actually a security vulnerability that could potentially affect the majority of Internet users. Running around changing all of your passwords is actually not the recommended solution. So, this week in #FridayFinds, I’m sharing some resources that will give you more insight and links to what you should be doing to keep yourself safe. You’ll also find out about a new blogging resource that you may want to check out and a fun post on ten of the best viral videos online.
What the Heart Bleed Bug Means to You
This week, one of the top stories in the news revolved around the “Heartbleed Bug”. Rather than a bug, Heartbleed is actually a security flaw in OpenSSL. OpenSSL is an open-source encryption standard that is used to transmit data. This vulnerability (called the Heartbleed bug) can expose our data to hackers. For a better understanding of both Open SSL and this vulnerability, let’s take a look at this video that Armand Valdes (@ArmandTweets) created for the “Mashable Explains “series.
Don’t be too quick to run around changing all your passwords though. Until a site has been patched, changing your password could potentially expose your new password to hackers. For an easy to understand look at what’s going on and (most importantly) what to do, check out Taking The Confusion Out of the “Heartbleed” Vulnerability by Kimberly Brink-Castleberry on Just-Ask-Kim.com.
One of the resources that Kim includes is The Heartbleed Hit List: The Passwords You Need to Change Right Now that was recently published by the Mashable.com team. (With over 350k shares, you’ve probably already read this article.) Possibly, the most notable of the sites that were vulnerable and have been fixed (at this time) are: Amazon Web Services, DropBox, Etsy, Facebook, GoDaddy, Google/Gmail, Instagram, Intuit/Turbo-Tax, Pinterest, Tumblr and Yahoo.
Announcement of the Brainy Marketer
Most of you who have known me for a while, know that I love sharing information and new resources. My mantra has always been “We can all learn from each other”. In addition to Kimberly Brink-Castleberry, I’m also a big fan of John Paul Aguiar. Actually, both Kim and JP are two of the bloggers who I wrote about in my post 2 Steps to Stalking the Popular Kids and Getting More Traffic (originally published 3/2/11 but still a strategy that I recommend and adhere to).
So, what is the Brainy Marketer? It’s a new resource for bloggers. What John Paul has done is launch a new blog that features twelve bloggers who are experts in their field. For a great read on what the Brainy Marketer is, check out Adrienne Smith’s post Learn How To Be A Smarter Marketer on AdrienneSmith.net. Adrienne has done a nice job of giving us a snapshot of who these trusted bloggers are and what topic each of them will be covering. Also, you can watch this video.
10 Viral Videos You May Have Missed
Speaking of video, this week, I came across a post that should get you thinking about what makes a good viral video. Even more, I’m hoping to give you some good laughs to get your weekend started. 10 of the best ever viral videos on CreativeBloq.com includes the famous Old Spice commercial (I never get tired of watching him) the 2011 Volkswagen ad and a hidden camera ad. Have fun watching and sharing.
Over To You
Have you been updating your passwords? Do you recommend Last Pass or another password manager? Had you heard about the Brainy Marketer or watched any of the viral videos highlighted here? Feel free to add your thoughts, ideas and opinions in the comment section and thank you for being here!
For more great information, connect with this week’s featured authors: Kimberly Brink-Castleberry, Mashable, John Paul Aguiar, Adrienne Smith, Creative Bloq and me on Google+.
About Sherryl PerryWelcome! If you're looking for help building an Internet presence that fits your needs and works for you, you're in the right place. I blog common sense articles about WordPress, social media and SEO. My goal is to help small business owners and entrepreneurs understand their core business. Together, we can develop and implement business strategies that make sense to you.
Another layer of this has come to light – some routers, firewalls, printers and so forth also use the flawed OpenSSL. Have an HP My Cloud? That too.
wired.com/2014/04/heartbleed_embedded/
This one requires manually checking and updating so will be with us longer…
Thanks for sharing this David. I’ve tweeted a few posts on this topic. One in particular (I can’t remember right now what site it was on) said that the only solution for some devices is going to be to trash them.
Sherryl Perry recently posted..How Safe Are Your Backlinks? #FridayFinds
In case anyone thinks this is much ado about nothing and will just blow over, the first reports are coming in. The Canadian government had to shut down accepting electronic tax filing for almost a week and has announced it lost about 900 SINs. (SSN) The only reason they even know that is because of their extra security.
Mumsnet was also hacked but they have no way of knowing to what degree. They know because the hackers told them, and used the founders ID to post online.
That’s the nasty bit here- having no way of knowing. And thats why the importance of updating your passwords after the fix is in. Especially on the big sites and especially if you’ve used the big sites to log into other sites, like Facebook for something else.
Wow David! I wasn’t aware of that incident until you brought it to our attention. I did a quick search for the details and I came upon a report on Bloomberg News that alleges that the U.S. National Security Agency (NSA) knew about the Heartbleed vulnerability for two years and that it may have been using it to access personal data. They’re denying it but one never knows.
The fact that Facebook is one of the sites that was affected by Hearbleed is just one more reminder of the risks of using a social media site to automatically logon to other sites.
As always, thanks so much for your contributions here in the comments
Sherryl Perry recently posted..The Heartbleed Bug and More #FridayFinds
Hi Sherryl,
Few days ago, I received an email from Pinterest asking me to change the password because of HeartBleed Bugs and I wondered what this was.
I searched few sites but I couldn’t get into the depth of the matter. Now, I came to your blog and saw this – great and easy explanation of this technical bug issue.
But what I don’t understand yet is whether we should change the passwords of those mentioned sites where we have an account? Is it really necessary?
Actually, I don’t have much knowledge about this bugs problems or fixes.
Mainak.
Mainak Halder recently posted..Are you Blog Commenting for Backlinks or Relationships?
Hi Mainak,
Thanks for letting me know that you found my explanation easy to follow. (That’s what I’m striving for.)
I think the best advice is to change passwords of any site that you’ve received an email from (with the caveat that you never follow links in emails. Instead go directly to the site yourself).
You can also check Mashable at http://keepupweb.us/1gWngDW/ for a list of those sites that they recommend changing passwords for. (When I last checked, it had last been updated 4/11/14.)
If you’re questioning any specific site, you can check whether or not they were fixed or unaffected here: https://filippo.io/Heartbleed/.
Good luck!
Sherryl Perry recently posted..Google Manual Web Spam Actions and Penalties #FridayFinds
Right – the thing to me to emphasize is that a given site may not know if it was hacked or not. If they didn’t update a week ago, they may well have been. Changing your password is a way of ensuring that your own account isn’t abused in the future.
It also makes it a good time to use stronger and more unique passwords in the process.
People may think – oh, my account isn’t that important. But what happens when your account is used to spam all your contacts? And their info is sold to spammers or hackers. Or your account is used to attack others?
Good points David. Security is too big an issue to take lightly.
I have been so out of the loop lately that I had not heard of the Heartbleed bug. The good news is I had not rush into changing passwords as I would have done. The article was very helpful now I’m off the make some of the changes. Thanks for that Sherryl. You saved me a ton of time, time I don’t have as a result of the heroic move I’m working through.
When time permits, I will be checking out the others. I hope to be back to normal in a week or so. 🙂
Susan Cooper recently posted..Vivino App and Online Community: #Wine
I know how busy you’ve been Susan. (We need to catch up on the LinkedIn Bloggers Helping Bloggers group when things settle down for you.) Some of the sites that were at risk have been sending out emails prompting you to change your password.
Thanks for letting me know that you found my post helpful and (as always) thanks for taking the time to join the conversation.
WordFence wrote in an email to meabout Heartbleed that when you have a hosted WordPress site you have to contact your hosting provider to find out if they have patched up the vulnerability. So I did and both my hosting providers have done so.
Can’t help wondering if there is an end to this kind of constant problems? Once one thing has been fixed along comes another vulnerability or virus:-)
Catarina recently posted..Contemplating exports to Europe?
Catarina,
Those Wordfence newsletters are great. I didn’t contact my hosting vendors. They’re popular enough that I’m confident I would have heard if they were amongst the sites that had this vulnerability. I’m not at all surprised to see that GoDaddy was on Mashable’s list.
I hope this is the last time that we see a security vulnerability of this magnitude.
Sherryl Perry recently posted..The Heartbleed Bug and More #FridayFinds
My host, easyPress, notified me they would have a short downtime when things would be viewable but not editable and did the update then. They also did a blog post about it. So I got 3 messages about it from my host because they knew it was a biggy.
Hey Sherryl,
So everyone starts to panic but it’s like they said to begin with. If you run around changing passwords on sites that aren’t yet secure then you’re hurting yourself more then helping so I was kind of waiting on more of an announcement of which sites it was okay to change and yes, they have been done. But, I do use LastPass and love that program so much. I also was sent a notice from them letting us know that they’re site is secure and we shouldn’t worry about that one at least.
Thank you for the mention as far as helping with John Paul getting the word out about Brainy Marketers. What a cool idea right! I love this concept and will definitely be using them a lot. Of course I think very highly of John Paul as well so I trust that he’s chosen the right people for the right information to share with us.
I haven’t checked out the post for the videos but will do that when I have more time. I’m always looking for good videos to share as you probably know that about me by now.
Great posts again this week and thanks for these for sure. Hope you’re enjoying your weekend and hope to see you around this coming week.
~Adrienne
Adrienne recently posted..Learn How To Be A Smarter Marketer
Hi Adrienne,
As experienced bloggers, we may not have panicked but I’m sure there are many people who immediately changed their passwords at the first hint of trouble. Then, there are still people who haven’t addressed any of this. (I’ve been nudging a few friends to at least address Facebook.)
I finally relented and set up my account with LastPass this week. Keeping track of all my passwords is starting to consume too much of my time. (It’s also driving me just a little crazy.) I have to admit though, as a veteran IT person, I do have trouble putting “all my eggs in one basket”. There are a handful of accounts that I don’t plan on letting LastPass manage. (I guess I’m still “old school” in some ways.)
You’re welcome for the share. I’ve been wanting to give your site a little backlink love and when I saw that you were featuring John Paul’s new site, I thought it would be the perfect opportunity. Plus, after writing about a topic as critical as the Heartbleed bug, I thought I’d lighten up the rest of my post with that and the viral videos link. (I look forward to seeing some of them on your FB page.)
As always, thanks for dropping by and joining the conversation. BTW – I haven’t forgotten my guest post for you. I’m looking forward to it!
Hi Adrienne,
It is always scary to hear these things, but I think that some people just panic unnecessarily. It seems that anytime something goes viral then it ends up getting people a lot more worried than necessary. Frankly, I never thought any encryption technology (including SSL) was 100% hacker proof. They all have flaws and I don’t think it is always necessary to panic when we hear what they actually are.
I don’t think I will be changing every single passsword that I ever setup. I do think that it is good to be prudent though and will try to start using LastPass from now on.
Sherryl, thanks for the share!
Kalen
kalen smith recently posted..Redditor Recreates Every NBA Team Logos as Pokemon
Hey Kalen,
I think for those that don’t understand this kind of stuff are immediately thinking the worst. Not that I do understand it all but I’m of the thought process now that if something like this has happened then it’s out of my control and I’ll wait to find out what steps need to be taken but freaking out about it does no one any good.
That’s what I’ve told my friends that nothing and I mean nothing is 100% hack proof. We only wish it was and most sites do their very best but it’s not an exact science and some people focus all their energies on just trying to get in. Even for no other reason then to say they were able to.
I only changed the ones that were recommended after their site was safe but I’m with you. Hell no, that’s a heck of a lot of passwords but most of those sites I rarely use and there is no information on there that could hurt me or help them. I do love LastPass though and it’s been my lifesaver and they notified us that all is well with them. Yay!!!
Thanks Kalen and hope you’re having an amazing day.
~Adrienne
Adrienne recently posted..The Perfect Posting Schedule Revealed
The ironic thing about the OpenSSL heartbleed problem is it’s supposed to make things more secure, and it turns out it wasn’t doing so. Of course you would have had to know about it and what you were doing. The average person wouldn’t have known how to steal any info.
It’s also disappointing that this bug has been in the current OpenSSL version for 2 years. That’s along time.
To me it’s just confusing trying to figure out what sites were using it and which ones were not.
I know a lot of people talk about Last Pass, but I just can’t do it.
Ray recently posted..The Confusing OpenSSL Heartbleed Vulnerability
Hi Ray,
I’m amazed that it’s taken two years to identify this vulnerability. I think that’s an unusually long time especially since we’re talking about security here.
I just read the article you wrote about this topic. It’s really good. As you point out in your article, the previous version, 0.9.8, is not affected. You’re right. This is confusing.
I finally set up Last Pass yesterday. I’m having a little trouble getting used to it actually. I have a strong urge to copy and paste the generated password for safe keeping. LOL
As always, thank for dropping by and weighing in on this. I’m going back to leave a comment for you and share your post.
Hi Sherryl
Yeah, it does take a little to get used to – like anything else new. And theres a few little things to be careful of. Like if you have multiple accounts at one site, you have to be careful which one its actually logging you in to. I don’t usually have it autologin, just autofill. And if you use a site that has various login pages, you may have to pick the login, but it usually offers a little icon on the right of the username box you can click and choose the right login.
Changing passwords was a little more fiddly than I expected as it worked faster than the change forms, but I spent a bunch of time doing that yesterday, upgrading a few of them in the process.
Note that you have an Export option in the top right. That gives you all your data in a spreadsheet. Personally, I think its a good idea to back up your logins you’re no longer able to remember. Especially after changing a bunch of them. Never all your eggs in one basket.
I really appreciated it flagging the passwords I needed to change the most. And the old weak ones in the security check. I didn’t appreciate Googles recent changes that make changing an email account password into their desire to interconnect everything.
You can use it to store address and credit card info for filling in those kinds of forms but I’ve used that less. I’ve also left the CVC code out as a caution.
You can also use it to add Secure Notes, like for passwords in your software, key secure data, account numbers, login for someones computer you help with and so forth.
One other little point is to get into the habit of logging out of it when you go away from your computer. It does after all give access to everything.
For me, its been quite reliable and fast. Way better than the several solutions Ive used over the years.
Wow! Thanks for all the great info David. I wish i had though about sites with more than one logon page before I set up Facebook but at least I quickly realized what was going on.
I had noticed the export option but hadn’t really thought about using it. Backing up our logins is a great tip. That’s the one thing that makes me nervous about LastPass (or any other password manager). The tip about logging out makes sense too.
As always, I appreciate your input!
TY for sharing the Brainy Video and site with your readers Sherryl. I Appreciate the support. 🙂
John Paul recently posted..Is Social Media Bad For Your Health? – Infographic
You’re welcome John. It’s exciting to see your new site! I’m looking forward to seeing (and sharing) articles from Brainy Marketer. 🙂
hah, i didn’t realize going around changing passwords might actually NOT be the best way to go about this!
It’s a good thing i am “lazy” and wait for a website to tell me “ok, we do recommend changing your pass with us” – and that is when i go ahead and change it for real 😀 I am glad this is actually the right way to do it anyway!
Thanks for the great FridayFinds, Sherryl!
Diana recently posted..How to Make Time for Everything
Hi Diana,
I first read about the risk of changing passwords before the site is fixed from Kim on Facebook. There was so much written about it. I’m one of those geeks who enjoys understanding what’s going on behind the scenes.
Thanks for letting me know that you liked my post. As always, I appreciate you sharing your thoughts with us.
Hi Sherryl,
Thanks for putting this all together. There was so much confusion out there with Heartbleed that it was driving people crazy.
It’s a good thing that I have subscribed to Kimberly’s newsletter and am in close touch with her on Facebook. There are passwords we had to change immediately, and some we just have to wait.
I have spent the entire day changing passwords and lucky I did! People that weren’t
“in the know” or had no one to turn to were absolutely going in circles.
Glad you put this together for those Johnny come lately folks so I can spread this around.
-Donna
donna merrill recently posted..Facebook Is A Marketer’s Dream
Hi Donna,
I’ve been a huge fan of Kimberly for years and I often share tips from her newsletter. Thanks for letting me know that you value my post. I enjoy pulling key resources together and then doing a brief summary. I think that it can be helpful for people who want a 1-stop shop for info. That way, my readers can go as deep as they want into the additional links. As you know, you can spend hours going deeper and deeper into topics like this when sometimes it’s best just to know what it is, what you should do – and – then just get it done.
As always, thanks for dropping by and joining the conversation. I appreciate and value your input.
Sherryl Perry recently posted..How Are You Building Your Online Brand? #FridayFinds
I just saw David’s comment so went back and looked at the Mashable story. I had missed WordPress on the list. Now I’ll probably go back and change the passwords again once WP says it has done the patch.
Jeannette Paladino recently posted..Stand Out With a Video in Your LinkedIn Profile
That sounds like a plan Jeannette. I was so glad to logon this morning and see that both Dave and you had been commenting! I’m a little late to the party this morning. 🙂
Sherryl Perry recently posted..The Heartbleed Bug and More #FridayFinds
While my banks and credit cards weren’t affected, I’ve started changing my passwords anyway. First, I haven’t changed them in a while and, most important, I’m making them stronger. I also changed the password to my WP dashboard and CPanel. I didn’t see WordPress listed in Mashable’s list but again I hadn’t changed them in a long time and made them stronger.
Jeannette Paladino recently posted..Stand Out With a Video in Your LinkedIn Profile
Hi Jeannette,
Thankfully, all the banking institutions that I’m associated with have notified me that there isn’t an issue. I have to admit that I was not at all surprised that GoDaddy was the only hosting company (that I recognized on the list) that was affected. At least, they’ve addressed it. I was a bit surprised that Amazon Web Services was on the list.
This is such a pain. It’s always something!
Interesting WordPress is the notable holdout on getting the fix in, according to Mashable. They recommend updating the Box password whereas Lastpass is saying the implementation is not in yet (also mentioned on Mashable) so wait to update…
I noticed that David. I’m choosing to listen to Mashable and Lastpass on this one. If anyone has changed their WordPress password they can change it again when WordPress confirms that it has definitely been fixed.
Thanks again for the info and have a great weekend. (It looks like you either stay up late or get up early! 🙂
😉 I’m on the west coast. Comments record local time to the server, not to me.
Hi Sherryl
I use LastPass and recommend it. They talk about their exposure to the OpenSSL flaw and why it didn’t affect user security (they don’t have your keys)
http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html
They’ve also now added a feature that will check the sites you have logins for and which you need to fix now and which have not been fixed yet, to wait for (like Box)
http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html
I can also note a site that will check specific domains:
https://www.ssllabs.com/ssltest/
And you missed the quotable quote: Security expert Bruce Schneier says “‘catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.“ 😉
I’d also highlight that it’s unlikely the issue was discovered and abused prior. The issue now is sites that don’t update properly and thus potentially expose your data. For users who use the same password across all sites, that would be everything.
Hi David,
I did miss the quotable quote! (I also almost missed posting my #FridayFinds on Friday but that’s another story. 🙂 )
Thanks for the links. I know you and many others here are strong proponents for using Last Pass. I started using it also. (I know. It’s about time.)
Thanks for the additional links too. As always, I appreciate the time it takes to add such meaningful info in your comments. Hopefully, neither of us will hear of anyone who has their accounts hacked because of this.