The Heartbleed Bug – do you need to act?

The latest concern regarding the safety of a cyber world has come in the form of the Heartbleed bug, the potential compromise of a system intended, ironically, to safeguard user data.

The BBC has a good article outlining the flaw and surrounding issues –

The headline of “Heartbleed Bug: Tech firms urge password reset” can, at first reading, induce panic but the attention-grabbing headline reports what some companies are saying rather than necessarily presenting the article’s own conclusion.

The first point to note is that the bug does not affect Microsoft servers so, addressing VCI’s client based directly here, there will not have been any compromise for your in-house network nor our Hosted Exchange service for emails.
The affected servers will be external systems and web servers which might have been compromised. There is no way of tracking whether this has happened so, even though the responsible hosting companies will have now plugged the hole, user data may have already been compromised meaning that it is possible usernames and passwords are still known.

It doesn’t take long for articles of this type to drift into “might have”, “could have” territory so let us skip to the concluding paragraphs of the BBC article which includes,
“A researcher at the University of Cambridge Computer Laboratory said it would be an overreaction to say everyone should drop what they are doing to reset all their passwords, but that those concerned should still act.”
“I think there is a low to medium risk that any given password has been compromised…….It’s not the same as previous breaches where there’s been confirmed password lists posted to the internet. It’s not as urgent as that.”

So what should you do? In the first instance, if you already follow good password practice and use different passwords for different sites then the likelihood of a large scale compromise of your personal data is considerably reduced simply by law of averages. If you are concerned, contact the companies involved and seek their advice or update your password on principle when convenient to do so. If, however, you have used the same password across a number of sites I think it is of greater urgency that you update these passwords.

What you absolutely SHOULDN’T do is reset any passwords using links provided in any emails purporting to recommend such action. Phishing emails can look very convincing and take you to websites which look convincing enough but which may be trying to elicit further data or install malware. Even if the mail looks genuine it is wise to access the site using the correct URL typed into your browser rather than a link from an email.

You can get advice on password generation and storing of passwords in our Password 101 series of articles available from the news page.