Two days ago (as of the time I’m writing this), a very serious bug in the OpenSSL system was discovered independently by two researchers, both of whom reported it immediately. For details of how all that came about, you can probably find all of the sordid details in Wikipedia by now.
Why am I writing about this? Because there is a high probability that you have been affected by this bug. I don’t know if Amazon ever used any of the buggy versions of OpenSSL, since they aren’t saying one way or the other. If they have, I would bet money they have already fixed that by the time you are reading this.
Ironically, since I don’t use the HTTPS encryption protocol on this site, Amazopia has probably not been compromised, although I don’t know that for sure (I have a support ticket open with my hosting provider asking about that). Not that a cybercrook would find anything valuable enough here to be interesting anyway. But if you have logged into any site in the last year that does use HTTPS (your bank, Amazon, PayPal, and a few thousand others), you may have already given up everything needed to execute a successful identity theft and clean out everything you own.
Especially if you are among the 90% (or more) of folks who use the SAME PASSWORD on every account you have. I’m not going to ask — you know who you are.
I’m getting dozens of emails assuring me that such-and-such organization has carefully checked their systems and found no evidence of compromise. You probably are, too.
The problem is, the HeartBleed Bug allows a cybercrook to compromise a system without leaving ANY EVIDENCE!! And the problem has been out there for about a year, during which time is has been installed on more than 60% of all webservers. Which means that all those folks trying to reassure you that your data is safe with them are either utterly clueless, or lying. This is potentially the most serious bug ever to hit the internet.
The upside of all this, if there is one, is that there are a lot of bad guys out there who use OpenSSL. Hopefully, all of them have been pwned by now. Cybercrime may actually decrease for a spell, while the cybercrooks scramble in a panic to re-secure their own stuff. And spend some time sweating profusely over it.
Meanwhile, what can you do to protect yourself? Unfortunately, not much. And the little you can do is going to be tedious. Mostly, you just have to wait for the folks you do business with to patch their systems. Here are my suggestions:
- Get LastPass (or a similar service — there are several, but LastPass is the one I use)
- Use it to change the password on every account you access on the internet to a unique, strong one. Yes, ALL of them.
Do it now. Then do it again for each site from which you get a “reassuring” email.
Edit: I just got the reply to my support ticket. My hosting provider installed the patch that fixed the HeartBleed Bug yesterday.