Heartbleed: a personal action plan

There is much panic today after the Heartbleed bug has been announced. All those nice sites with the padlock symbol running https where you felt safe and warm, well it turns out that some of them may have not been so safe and warm after all. Some were, but many IT advisors are recommending you change all your passwords to be safe because we don’t know for sure what was compromised.

BUT DON’T CHANGE THEM ALL YET!!

Right at the moment, a lot of sites won’t have installed the patches to fix the bug, so are still vulnerable, and you really don’t want to be typing in a new password that is being intercepted, do you?

I am not an IT advisor, but I have managed to get through 33 years of computing all day every day with only 2 viruses so far, and one of those came on the system disks with my first ever Mac in 1987 – yes really. I think my approach is fairly common sense and not too over the top.

There is a natural common sense order in which you need to do stuff. It will take you ages, so my advice is to wait a couple of days. The bug has been there a long time, so a couple days more won’t increase your risk much, but if you change everything this morning you might have to do it all over again in a few days time. If it makes you feel safer, do Step 2 now and then change your Google and Yahoo passwords

When you do:

Step 1

First, limit the amount you use the web or internet for the next day or two so that you are compromised as little as possible, as few passwords are intercepted and cookies read and password files stolen as possible.

Step 2

Meanwhile, clean your PC up a bit. Some of you will be bang up to date and will have different set of favorite tools than me, in which case, do it your way, but make sure you do it. If you are not quite so IT savvy, try my list:

Run C-Cleaner. If you don”t have it, get the free version from

http://www.piriform.com/ccleaner/download

(Advanced System Care works fine too, but in my experience you need to be extremely careful installing it to avoid getting other dross on your machine. Don’t just click next without reading what boxes are checked/unchecked and what other downloads you’re authorising. I have both but really, either works fine alone)

Basically, tick all the boxes for all the browsers to clear out all your cookies and any junk that may have been stored in your temporary files. Then do a registry clean. It isn’t related to this problem but it is good practice anyway.

Your memory, wastebasket, temporary files, and other places that can be scanned using the heartbleed bug are now clean. I recently tried using Superantispyware too, which is fine, but so far it hasn’t found anything if I have already run C Cleaner.

Now, when you do use the web before it is all patched, you’ll at least be at lower risk.

Step 3

DON’T PANIC!!!!

HT Douglas Adams.

The world probably won’t collapse before the weekend and all the competent companies will have their IT staff patching up and writing you nice emails or welcome screens to say how much they love you and protect you and that they are now ready for your new password. Well, wait a while. They may be ready, but if your browser isn’t yet ready, and especially if you’re saving your passwords using the browser, then your new password could be intercepted.

Think about it. If you are being intercepted, changing the password won’t work, the new one will be caught, so you’ll have to do it all again. If you aren’t, then you won’t know, so will still have to do it again just in case. Google and Yahoo say you don’t have to worry about their sites, and they are probably telling the truth, but I among many am not 100% convinced, and I will be changing my Google and Yahoo stuff. Soon, but not yet.

Use the time to make a list of any sites you remember visiting that have passwords, especially any with other personal details or credit card or bank details.

Step 4

On Saturday, Sunday or Monday, reserve a long session to fix your life. Make a big coffee and set yourself down for a long session.

4.1 Run system update to make sure your system is up to date with the latest fixes.

4.2 Do Step 2 again to make sure your PC is once again clean.

4.3 A full system scan for viruses and other malware wouldn’t hurt.

4.3 Reboot just for peace of mind. You will be changing everything, you want to feel you did it right.

4.4 Think up some sort of password scheme that is different from the one you used before. Use combinations of things, first letters of items or people on a list, keyboard patterns, numbers that mean something. It’s notoriously easy to guess a birth-date or a pet’s name, but hard to crack a combination of bits of several things. Everyone agrees you should use a different one for every site, but we all know you won’t. At least if you use the same root, change a leaf or two by including a letter or two from the site name, maybe shifted two letters along the alphabet or whatever. Even that helps. Be inventive.

4.5 If you use a master password file on your computer, empty it, then change its password and to make sure your new ones go in a clean and secure box.

4.6 Change your Google, Yahoo passwords and for any browsers. If they had been compromised, then anything else you did on any parts of their empires could have been. If you store passwords using the browser, the browser has to be safe before you do anything else. So you have to do them first, or anything else you do could be a waste of time.

4.7 Change your email passwords. You won’t remember all your old one so will have to get resets for some and will need your email for that. You need to be sure you’re using fresh passwords for email in case they had been stolen.

4.8 Change your Facebook, chat room any other social networking passwords. Some say they are safe, best be safer still and change them anyway to your new regime.

One by one, log on to every other site you use and change its password. Use a mixture of characters, capitals and lower case, numbers, punctuation marks (if they are allowed). Write the new password down in your little black book if you want, in a way that means something to you but nobody else.

4.9 Relax. You won’t remember all the sites you ever go to. Some, you won’t have been to for months or even years. But when you cleaned your PC, you deleted all those passwords, so at least if they weren’t already stolen, at least they won’t be stolen now. You will still face a small risk if your passwords are known for sites you don’t remember, but it is probably just a small risk, so really not worth worrying too much about.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s