Sunday, April 20, 2014

Summary of Advice Regarding Heartbleed

Happy Easter everybody. This might be my last or penultimate article on the Heartbleed bug. I have personally taken my own advice and done all the suggestions on my own computer and with my own accounts and am still implementing the steps on computers  and with users I'm responsible for supporting.

Because of the Hearbleed Bug as I have been saying, do a spring cleaning of your internet security when you get a chance. Cancel your credit cards that you used online and get new numbers for them. Do this in a staggered fashion so you always have a live card if you have to, while you wait for the new cards to arrive.

Also I'm now suggesting that you export your passwords from your password keeper software and then reinstall it while telling it to wipe out your personal information. If you are not using a password keeper like Roboform, LastPass or Dashlane, start doing so as they lessen the temptation to use a password in more than one place and encourage generating and using random passwords.

If you don't have a password keeper and you passwords are stored in your Internet Explorer, Chrome, Firefox or Safari, use this program to see what they are http://www.nirsoft.net/utils/web_browser_password.html. Note the ones that are not necessary to change, which I list in the next paragraph, then erase all the passwords from your browsers following the steps in this article: http://www.bu.edu/tech/support/desktop/software/troubleshooting/removing-password-from-browsers-saved-password-list/. You can also selectively erase the passwords from your browser's list also using the instructions in the link just mentioned, just keep the ones mentioned next.

According to a CNET article on Heartbleed and/or the LastPass Heartbleed Server checker, you don't have to reset the passwords for these sites: About, Amazon, Amazon Web Services, Answers, AOL, Apple, Ask, AWeber, Bank of America, Capital One, CBSSports, Chase, Classmates, CNET, CNN, Comcast, Constant Contact, Dillard's, eBay, FedEx, Forbes, Fox News, Groupon, HootSuite, Hulu, IMDb, Intuit, LinkedIn, Live, ManageWP, Microsoft, MSN, MyPoints, NetZero, Orbitz, Pandora, PayPal, PayScale, PornHub, Reference.com, Salesforce, Target, TripAdvisor, Trulia, Twitter, UPS, USA Today, Walmart, Wells Fargo, wikiHow, Zedo and Zillow.

According to the same sites, you do have to reset the passwords for these and it is now safe to do so: AT&T, Best Buy, Bing, Bleacher Report, Blogger, Blogspot, BuzzFeed, Conduit, Craigslist, Daily Mail, Dropbox, Espn.go.com, Etsy, Facebook, Feedbin, Flickr, GetPocket, GoDaddy, Google, Home Depot, IFTTT, Imgur, Indeed, Instagram, NBC News, Netflix, OKCupid, Outbrain, Pinboard, Pinterest, Publishers Clearing House, Reddit, Stack Overflow, The Pirate Bay, The Wall Street Journal, Tumblr, USPS, Vimeo, Washington Post, Weather.com, Wikia, Wikipedia, Wordpress, Yahoo!, Yelp and YouTube.

Again according to CNET and/or LastPass you should be cautious with these sites still: Adobe, Drudge Report, NYTimes, and TMZ. If you have accounts on them personally I would change the passwords for these sites now too, just in case they are really clean after all. I would then subsequently check them in this Heartbleed site checker, again at https://lastpass.com/heartbleed/, in few days but in the meantime hold off making any purchases and if possible remove your credit card numbers from the sites, if there is a way to do that.

For all other sites, check with LastPass to see if they are unaffected, patched or still vulnerable. Change passwords for the latter two categories (patched or supposedly still vulnerable). After changing the password don't make any new purchases from a site that LastPass says is still dodgy/vulnerable. The sites mentioned are most of the top 100 most heavily trafficked sites as ranked by Alexa (except for sex sites which I removed from my lists).

Finally, I would go into your App and Website permission settings for Facebook (here: https://www.facebook.com/settings?tab=applications&edited=opt_out), Twitter (here: https://twitter.com/settings/applications), Google accounts (here: https://security.google.com/settings/security/permissions) and LinkedIn (here: https://www.linkedin.com/secure/settings?userAgree) and remove the permission for websites and apps to use your social networks to vouch for your identity. Security experts generically tell you to have a different password for each website account you use, but using a social network to log into a site is almost like having the same password for multiple sites. It is a single point of failure. Facebook for instance was vulnerable and if someone were to have hacked into knowledge of your Facebook username and password, they then could also log in and possibly make purchases using your Facebook vouched for identity on those "satellite" sites.

One last suggestion to do for a security spring cleaning is to remotely log out of any session of social networks you may have forgotten about and left open on friends, relatives, or public computers. You can shut most of these down remotely as explained here: This article describes how to remotely end all of those sessions: http://www.addictivetips.com/web/remotely-end-gmail-facebook-linkedin-and-twitter-web-app-sessions/.

No comments:

Removing a Bios - CMOS Password - Free Article

http://www.dewassoc.com/support/bios/bios_password.htm "Unfortunately, access to computers can, at times, be blocked for all of t...