Opinion: Passwords that bleed

Albert Fisler

In the age of computer security, there are constant threats toward the safety of our personal information.  These computer bugs take advantage of our population’s growing technological use, tending to target the gap of people who are still adapting or inadequate with this new digital world.  

The newest of these is the “Heartbleed” bug. Notorious for its bleeding heart symbol, this bug takes advantage of a flaw in the Secure Sockets Layer, or SSL, of open-source software.

Todd Colvin, director of data and systems security for Paychex Inc., explains computer communications are like a postcard, and “it travels from the sender to recipient, and anybody on the way could read the information on the back.  

That’s open communication.  

The same is true for a good majority of the communications on the Internet. Any computer between point A and point B has an opportunity to review the messages. SSL comes in because it’s a protocol to securely send information over. However, with regard to the Heartbleed bug, Colvin says, “With Heartbleed vulnerability, people in between could potentially compromise the lock and the key used to encrypt the SSL message. If they intercept that, they can unlock it.”  

Nevertheless, Colvin mentions an easy way to check if a website is secure.  He says if the URL of a website has “https, the ‘S’ is the SSL underlying protocol to make sure sending-to-receiving computer, it’s secure.”  

Codenomicon, a security firm, created Heartbleed.com to better inform people and businesses about the Heartbleed bug as well as to take steps to help prevent and protect themselves from it.

According to the Heartbleed website, the bug “compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.  This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”   

The Heartbleed website also provides a few tips on how to stop the leak.

However, it reminds people that “as long as the vulnerable version of OpenSSL is in use, it can be abused.” Fixed OpenSSL has been released, according to the website, but is waiting to be deployed. This is up to operating system vendors and independent software vendors to apply the fix and notify their users.  

While it might seem obvious to change one’s password for affected websites, not all of them have fixed the bug yet. Symantec, an anti-virus software company, recommends on its website to wait to change your passwords until a vendor has communicated to you to change your passwords. Symantec also recommends monitoring your bank and credit card statements to check for any unusual transactions.