Last week we posted a blog on easy ways to spring clean your digital life – including advice on changing your passwords. Well, no sooner had we hit publish and that bit became very important indeed!
The Heartbleed Bug is one of the biggest Internet security flaws to hit the world to date. It was discovered by Google and Finnish cybersecurity company Codenomicon, which set up the website Heartbleed.com and, in what might be a first for a security bug, a cool logo. The bug may have been leaking your sensitive information over the last 2 years. Here’s what else event organisers need to know about Heartbleed, security and passwords.
Heartbleed Bug explained
The bug has been dubbed Heartbleed because it affects an extension to OpenSSL (Secure Sockets Layer) – designed to encrypt communications between a user’s computer and a web server – which engineers called Heartbeat.
NB It only affects certain versions of OpenSSL – v1.0 through to v1.0.1f
This comic from xkcd explains it in a way everyone can understand:
Put simply, the bug allows hackers to access a small amount of data (64kb) from websites and applications. However there is no limit as to how many times they request data from servers, so hackers can return info from a server again and again – leading to a ‘bleeding’ of information, including potentially sensitive information, like passwords.
How has that Heartbleed affected people?
Last week, parenting website Mumsnet admitted to not knowing how many of its users details may have been stolen after it emerged that hackers had used founder Justine Roberts’ own username and password to post a message online. She said the hackers then informed Mumsnet’s administrators that the attack was linked to the Heartbleed flaw and told them the company’s data was not safe.
Several websites including Google, Facebook and Yahoo have issued statements saying that they don’t believe they have been affected by the bug, but have made some recommendations on best practice regardless.
What should Event Professionals do?
As event professionals there are two key ways that the Heartbleed bug may affect you.
- Your website may require patching
- Your online accounts may require password changes
Patching your website
Check with your development or IT services team to see if any of your websites (including mini sites for specific events) are using OpenSSL. If they are, make sure the team are doing something about it. You may want to pass on the latest instructions or OpenSSL patch here.
If you want to quickly check Check a website to see if it is vulnerable. Here are links to two different tools that can check a website by entering the url address:
- https://www.ssllabs.com/ssltest
- http://filippo.io/Heartbleed/
Changing Your Passwords
As an events professional, you’re likely to be using Facebook for your Company page and creating an event, YouTube for uploading videos around your events, Gmail for, well everything. And you might be using Dropbox for sharing event images and logos, Instagram for pretty event pics, Tumblr for blogging about it and Pinterest for getting those pretty photos shared too. Well guess what folks?
You need to change all of your passwords for these sites!
And a whole load of passwords for other sites besides. Mashable’s list of Heartbleed Bug affected websites seems to be the best and is being regularly updated. So for the full list of what you need to change, we’d recommend visiting them here.
Here’s our 5 point guide on Passwords
- Change your passwords on all your accounts – you may want to do this again in a couple of weeks as annoyingly not all websites have been patched yet.
- Don’t use the same password on each site!
- See our Digital Spring Clean post for tips on creating a secure password, but as a general rule don’t use your kids’ names, dog’s name, the word ‘password’, abc123 or ‘monkey’ as they’re all VERY easy to guess for an unsophisticated hacker.
- Try using an encrypted password keeper such as 1Password, Dashlane or LastPass – note that none of these companies had any problems with Heartbleed because they use multiple layers of sophisticated encryption.
- If there’s an option to do so, use two-step authentication. What this means is that when you try to access a website from a new computer, or after a certain period of time, the site will send a text message code to your phone that you need to enter in order to access the site. Generally, you’ve got your phone on you most of the time so it shouldn’t cause too much inconvenience and it could potentially alert you to someone trying to gain access to one of your accounts.
We’ll update this article if any new information about the bug comes out, but if you do only one thing – CHANGE YOUR PASSWORDS. NOW!
__________________________________________________________
About Noodle Live
Noodle Live brings a seamless social experience to events, conferences and exhibitions using a combination of mobile applications and RFID (Radio Frequency Identification) swipe cards to streamline information sharing.
For more information check out our video or visit www.noodlelive.com
Join us on Facebook: facebook.com/noodlelive
Follow us on Twitter: twitter.com/hellonoodle
This post was written by Thom Feeney, Marketing Manager at Noodle Live