Think about how many things you do using the Internet. We surf the Internet for information using an Internet account. We buy merchandise online, and often set up an account using the merchant’s online order and payment service or perhaps using a service like PayPal to buy it. We do our banking or keep track of our investment portfolios through an online account. We keep up with our friends, family and colleagues on social networks such as Facebook or Pinterest or LinkedIn. We tweet on Twitter. We communicate with each other via email using services like Yahoo! or Gmail more than the U.S. Post Office. We store photographs on sites like Picasa, music on iTunes and have videos on YouTube.
What do all of these things have in common? They have a password to unlock the account and we are likely to have provided financial or other confidential information to the service providers. Whether we think of them this way or not, all of these things are assets. Digital assets. Collectively, these digital assets may have great sentimental and financial value.
But, our digital assets also make us vulnerable to viruses that attack our computers and to flawed security measures employed by the Internet service providers we use. On April 8, 2014, a team of engineers that was, ironically, testing improved security features, announced that they found a massive vulnerability for websites that use web encryption software called OpenSSL. This vulnerability, called the “Heartbleed bug,” allows potential eavesdropping on users’ communications on websites using OpenSSL.
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many online services use TLS to both identify themselves to you and to protect your privacy and transactions. In testing, researchers found they were able to exploit the vulnerability to steal usernames, passwords, instant messages, emails and other critical information. They were able to steal this information without leaving a trace behind to indicate the theft had occurred.
Here are things you should do to protect yourself and your digital assets:
First, compile a list of the various web services you use. If you have a username and a password to access the site, it should go on the list. Those web services that contain your confidential information, credit card numbers, bank account numbers, social security numbers and other critical information should go at the top of that of that list.
Second, investigate whether each web service employs SSL/TLS encryption. Websites and web services that do not employ SSL/TLS are not vulnerable to the Heartbleed bug.
Third, for websites which do employ SSL/TLS, investigate whether a patch or fix has been made for each website. Large services such as Google and Facebook have already implemented fixes. Particular emphasis should be paid to web services from smaller companies. There is an easy way to check to see if the fix has been implemented for a given website by going to https://www.lastpass.com/heartbleed.
Fourth, once you confirm a fix has been made for a particular service, log in and change your password for that service.
Fifth, if you have compiled a list of your digital assets and instructions for what to do with them after your demise, as we have previously recommended in The Counselor, update that virtual asset instruction letter with your new passwords and usernames.