You might have heard on the news or web about the ‘heartbleed’ bug. I want to answer two questions: Does it affect Macintosh users? Do I need to do anything about it?
Apple has made the following statement on heartbleed. “Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected.”
While this is good news, it does not mean mac users are unaffected. Any password entered on any computer, iPad, iPhone, iMac, macbook, mobile phone etc that accessed the internet around April this year could have been compromised. While most Apple products were not affected directly, because we use our Apple devices to access less secure devices, your password could have been captured by the computer at the other end of the internet connection. The heartbleed bug is that someone found a way to access secure information that is transferred around the internet. It depends not on your computer but on what sites you visited.
The heart bleed bug affected a lot of internet sites. They estimate appox 17% of the internet sites were affected. That is huge! A lot of these are big name sites. There are thousands of smaller sites that may have been affected too.
So if you used the internet at all, for web browsing or gaming or even through an iPhone app, anytime around April 7, 2014, and if you entered a password of any kind, or a visa card number, it is possible that your passwords or private details were stolen by someone. Pretty much every company is suggesting you change your passwords.
The bug was discovered on April 7. The fix was released on April 7. So if you have used the internet anytime since April 7th, 2014, and have typed in a password, you may be affected.
Change your passwords.
1. If you used the internet any time in the last 2 weeks, go and change your passwords for those websites you accessed. Do it now.
2. For other sites not on the ‘safe’ list below, if you want to be precautious, change your passwords now. I’ll be changing them next time I log in to each site.
You may have entered a login and password on some obscure internet site to download some music or purchase a pot plant or sign in to a woodworking forum or any such thing. You may not have even entered a password but Safari could have auto-entered a password for you without you realising. It may even be an iPhone app (e.g. Instragram) that you use that automatically enters your password for you.
So you should go to all these sites now and update your passwords.
Here’s a list of sites that may have been affected.
‘Safe’ means they did not use SSL and so could not have been affected.
‘Not Safe’ means that did use SSL, and even though the software has been fixed, they could have been affected anytime in the past 2 years, but most likely around April 7, 2014. All ‘Not Safe’ sites are encouraging users to change their passwords ASAP.
Apple, iTunes, iCloud, OSX
Amazon, Paypal, eBay
1Password password manager
Westpac, ANZ, Commonwealth, NAB, St George
Google, Yahoo, Instagram, Pintrest, Twitter, Flickr
Gmail, Yahoo mail, Blackberry
Amazon Web Services, Ars Technica, GitHub, Reddit, SoundCloud, Wikipedia, Wunderlist.
Steam, Minecraft, Leage of Legends
It’s a very bad idea to use the same password for every website. The reason is that smaller websites can be less secure, depending on who runs them, and it’s possible someone could get your password from your local woodworking forum website, then use that password to login to your Apple or Gmail accounts.
I use 1Password, a password manager that invents a different password for every website I log in to.
Safari now has a feature to assign a password to a website. I still prefer 1Password because I don’t like the idea of having my passwords linked into Safari, but the Safari system is better than nothing.
At the very least, you should have a unique secure password for every single financial login you have (e.g. Westpac Bank, Commonwealth Bank, iTunes, Paypal, that would be 4 passwords) and then a less secure password that you can share across all your forums that you don’t care so much about, so that if someone gets your less secure password they can’t login to your financial websites.