Heartbleed: What Is It?
What Should I Do About It?
By now, you’ve no doubt heard about "Heartbleed," a security vulnerability in one of the most popular pieces of encryption software on the web. While none of our systems here at Mid-Illini have been affected, we know our members have questions, so let's look at the facts:
What is Heartbleed?
Heartbleed is the nickname given to a security vulnerability in OpenSSL.
OpenSSL is a popular online encryption library. The vulnerability allows hackers to find the secret codes that websites use to identify themselves. These codes allow hackers to translate information that a computer sends to a website. Without it, this information would appear as indecipherable gibberish.
The worst part about this vulnerability is the fact that it's been around for two years and there's no way to know whether it's been used on a particular service. Security experts have only discovered and informed the public about the flaw over the past few days.
It's unlikely that this exploit was common knowledge before. The brightest minds in online security work for large, multinational corporations, charged with keeping data safe. Still, hackers could have compromised passwords, e-mail accounts, user names, and other personally identifiable information. That's a significant concern.
Who was affected?
Yahoo Internet services. So, if you use Yahoo e-mail, play Yahoo Fantasy Sports games, or use Tumblr, your password(s) may have been compromised.
Some Google services, like Gmail and Google Drive, were also vulnerable.
Social media sites like Twitter and Facebook may have been, too.
If you filed your taxes through TurboTax or USAA, your data may have been vulnerable.
The good news: Most online financial services, including Mid-Illini Credit Union, use other modes of encryption and were not vulnerable.
The threat in this case isn't just in the fact that someone could gain access to your e-mail.
The real problem is that most people use a small collection of passwords for most services. Hackers know this and will therefore use those user names and passwords on other, more lucrative services.
What can you do about it?
Understand, first, that the odds of any one password being released through this leak is small. This is an exploit that only a small number of the brightest minds in computing could find. There is no cause for panic.
If you use one of these services, change your password, both on these services and other services where you've used the same password.
Pick a new password that is easy to remember and strong. Follow the same good password rules you always have to keep your data safe.
Whether the services you use are identified as part of this breach or not, it would be wise to go ahead and swap out the old passwords for new passwords that are, again, strong and considerably different from what you had previously used.
Developers have released a new version of OpenSSL without the vulnerability in it.
There is no need to change your online behavior.
The services named above have all patched their encryption software to avoid this problem.
You should have no less confidence in online shopping and banking than you did last week.
Remember, it always makes good sense to use a unique password for each site or service you access.
Part of the reason Heartbleed is such a big deal is the fact that it exposed a weak link in the system.
Your passwords are only as secure as the least secure means you use to store them.
Using more passwords and multiple variations of them helps keep your personal information safe and secure.
We do everything we can to protect your personal data here at Mid-Illini Credit Union, and we encourage you to do the same. Again, we’ve checked with all of our service providers, and to the best of our knowledge, none of our systems have been affected by the Heartbleed situation. You can continue to transact business as usual at MICU, with complete confidence that your information is, and will remain, secure.