1) Log out and log back in to any site where you stay logged in
2) Change your Internet passwords as each site informs you that they've fixed this security problem
- Update your HealthUnlocked password NOW - they've patched their servers
3) For at least the next week, keep an eye on any of your sensitive online accounts (banking, webmail) for suspicious activity. (Thanks for that tip, Chris)
4) Further to (2) above, in a few weeks time change your passwords AT LEAST on all sites where you've previously provided sensitive information if you haven't had a reminder to do this. I'd mark this on your calendar to do in early May.
Heartbleed is a catastrophic bug in the security software used by about two thirds of world's Internet servers that generate the web pages you look at every day - including HealthUnlocked. Popular sites such as Yahoo, Imgur, and OKCupid have all been hit by Heartbleed and there will be many many more.
HealthUnlocked set out an urgent email to community administrators at 2:21AM my time, asking us to warn our communities about Heartbleed, so I really appreciate Chris (Cllcanada) letting everyone know about this security risk while I was asleep. HealthUnlocked immediately released the server security patch around 2PM UCT/GMT on Wednesday 9th April and if you were logged into this site then, you would have noticed that you had to log back in. (This forced re-log in was an added security measure by HealthUnlocked to force you to drop the old security connection at risk of being targeted by Heartbleed and reconnect to the patched server.)
Because the flaw is on the server side of the secure connection for websites using https:// rather than the usual http://, you should
(a) log out then log back in on all websites before doing any security sensitive activities (particularly for financial transaction sites such as banking and internet purchasing) until the relevant servers are patched by the companies concerned.
(b) Change your password on all sites where the site's security is important to you when you are prompted to do so. If you haven't had a prompt by early May, update your password anyway on these sites.
(c) If you use the same password on more than one site, change your passwords so they are all different.
Why (c)? Many websites ask you to use your email address as your username. If you use a common password on multiple sites, all a hacker needs to do is run an automated program to check passwords found via vulnerabilities like Heartbleed with your email address/username on commonly used websites and report when the program gains access to your account!
The software library concerned - openSSL, was patched 2 days ago, but now all the programs using this library will need to apply the patch and companies world wide will then need to install those patched programs on their servers. Full marks to HealthUnlocked for already doing this to maintain the security of information you share with other members in our community.
While the above sounds alarming, the current risk is seen as minimal. However, scripts have already been released on the internet, demonstrating how to attack this vulnerability, so now it is a race between the good and bad, so please take the recommended precautions.
Here's the notification I received from HealthUnlocked:
"A major online security flaw called Heartbleed was recently discovered by a researcher at Google and a Finnish security firm called Codenomicon. Though you may have already heard about it from one of the major news organisations like the NYTimes that have been covering this since last night, we wanted to get in touch with you as well.
This issue is a flaw in OpenSSL, which is the encryption technology that two thirds of the websites, including HealthUnlocked, use. We immediately released a patch to fix this issue and for added measure this morning we logged out every member of HealthUnlocked to make everyone login again.
Though the risk is very minimal, there is a chance that some of your personal information, like your password, in one of your online accounts may have been affected. As a consequence, we strongly recommend that you do the following:
1. log out of websites where you selected 'keep me logged in' & login again
2. update all your passwords
Additionally, though they may have heard about it in the news as well, we recommend that you write a post in your community to inform your members. Feel free to refer to our blog post update in your post if that can help explain what happened to your members as well as the tips about creating a strong password."
Three tips to create a strong password
More on Heartbleed
The Australian - excellent article
Note that Facebook, Google (YouTube, Gmail, etc) and Yahoo (yahoo services, Flickr, Tumblr) are already patched, so you should update your passwords for these sites if you use them.
New York Times article
Yahoo Tech - from Chris's post. A bit more about the techical side of things for those interested.
Note well: You will NOT be protected from Heartbleed even if you have applied all security updates to your operating system and the programs you use on your computer/tablet/smartphone, etc and are using an updated virus protection application. The security vulnerability is on the server end of the connection - not your end.
The photo accompanying this post shows a sign on a Linear Park in the suburb of Paradise, under which some wag has carefully added 'Lost'. I thought it was somwhat appropriate.