Heartbleed Internet Bug - Need to Change Passwords?
10th Apr 2014

Kontrolit and the Heartbleed Internet Bug

Heartbleed Internet BugYou may need to change passwords

You may have recently read stories about a bug on the internet called Heartbleed.  First and foremost, no Kontrolit powered site has been affected by this bug so you may not need to change your passwords for any Kontrolit related site.  

This article attempts to explain what Heartbleed is,  why it is serious and some general advice about how to protect yourself.

What is the Heartbleed bug?

It is an encryption flaw in the way some sites handle secure connections i.e. https connections / use a padlock.

Why is it a big threat?

It has only just been discovered and patched, but the hole has been in software in wide public use over the past 2 years.  So technically, if a hacker knew about this (speculation) then they have had 2 years to wander around the internet stealing sensitive information like some of your passwords, credit card numbers etc. and only now it has started to be patched would they have been prevented from doing so.

Of course this also works the other way around in that now it has been publicised, hackers can easily start to wander the internet stealing information from sites that are not quick to respond to the threat.

So why aren't Kontrolit sites affected?

The bug is in some versions of a software package called Openssl.  We do not use this software package for Kontrolit powered sites.  The only site we have here that did use it was our Support Centre but it didn’t use a version that was affected.

Password Tips

Don't choose one obviously associated with you

Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet's name you're in trouble.

Choose words that don't appear in a dictionary

Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.

Use a mixture of unusual characters

You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!

Have different passwords for different sites and systems

If hackers compromise one system you do not want them having the key to unlock all your other accounts.

Keep them safely

With multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault such as KeePass.

No need to worry then?

Not quite.  Many big sites out there have been affected.  So some general advice from us to you is that you at least login and change your password for these sites.

Big sites affected by Heartbleed (so change your passwords for these)

•    Facebook
•    Tumblr
•    Google  including services such as Gmail, YouTube, Wallet, Play, Apps
•    Yahoo including service such as Yahoo Mail, 
•    Amazon Web Services (not the store)
•    Dropbox
•    LastPass
•    OKCupid
•    Soundcloud

Big sites not affected by Heartbleed

•    LinkedIn
•    Amazon Store
•    Microsoft  including services such as Hotmail
•    PayPal
•    Kontrolit powered sites

Sites currently unclear if Heartbleed has affected them (so to be safe change passwords anyway)

•    Twitter
•    Ebay
•    Evernote
•    Netflix

What about other sites that I have accounts for which you haven’t mentioned?

Be safe,  change your password anyway.

You said I may not need to change my password on Kontrolit sites

Simply put, if you used the same password to access a Kontrolit site that you used for one of the affected sites like Gmail, then you should change it to be safe.  If you used a unique password on Kontrolit sites then you are fine.

Again, if you used the same password for Gmail as the Amazon store then even though the Amazon store is not affected you should change your password.

This is serious -  who’s to blame?

The short answer is no one.  The Openssl project is run by volunteers giving up their free time to make the software.  No one is paid to write it so no one is to blame.  Perhaps if some of the big guys like Google and Yahoo could put their hands into their deep pockets they could fund a few developers to contribute to Openssl and we might get better software in the future.  You would think it is in their interests to do so.

Please Share

Back To Top