I once had a car, a 1986 Nissan Pulsar NX, that had no keys. The ignition was started with a screwdriver, and the doors were always unlocked. I had this car for more than two years before it was towed away by the city.
Imagine an estimated two-thirds of your Internet accounts being that car. This, my friends, is Heartbleed, which has left the doors open since 2011. And the locksmiths are taking their time going around and changing the locks.
Here are a few tips for managing this minor crisis:
The technical details of the vulnerability are complicated, but here's an oversimplified version: OpenSSL is the locking mechanism for transferring private data online. Since 2011, the lock has been malfunctioning. Whenever a party hit an OpenSSL server with a request, it would leak a few tiny bits of data. Hit it enough times, and you may get access to passwords and other sensitive data.
Sounds terrifying, right? It gets worse: an estimated two-thirds of the Internet use the affected versions of OpenSSL, including household names like Yahoo! and Google.
Are Your Sites Affected?
One set of sites you'll really want to keep an eye on (besides the obvious: email) are your cloud-based storage sites (What's in your DropBox?) and cloud practice management platforms (kudos to Clio, who responded immediately to an inquiry by notifying us that they've already applied a patch).
Change Passwords Now?
Security experts are recommending that users wait to change passwords until after sites have been patched. Otherwise, you're changing the locks but leaving the window open. Still, it can't hurt, if you have a particularly sensitive site, to change your password now, and once more in a few days. Expect most major websites to be patched within a day or two.
Once patches are in, we'd recommend having a password party, where you go into your email, search for phrases like "account" or "password" to find the names of every account you've forgotten about, then spend hours logging in to each one and changing your password. Remember not to use the same password for every site -- if one site gets hacked, the rest fall like dominoes. Tools like LastPass store your passwords so that you can have long, complex passwords for each site.
Two Factor Authentication
Passwords are great, but they can be cracked -- how often do you hear about a major company (or in this case, the Internet) being hacked?
Setting up two factor authentication is a must for sensitive accounts. These systems typically require you to use an app or receive a text message for a second layer of security. A hacker would have to have both your password and your phone to get into your accounts.
It's inconvenient, sure, but on a handful of super sensitive services? It's worth it.
Update Your Clients?
It's not just your accounts that need new passwords -- your clients do too. How much of their sensitive information is available through their email accounts, or if you use a cloud practice management platform, their client portals? A clearly worded email, explaining that you've secured their data, that there is no evidence that their data was compromised, and that they too should change their passwords can go a long way toward assuaging their fears.
How are you handling Heartbleed? Tweet us @FindLawLP with your tips and stories.