What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection, HTTPS://. How does it work? To communicate, a client computer and the server send back and forth a short block of data. The block contains a value for the length of the block. The malformed block says its length is 64KB, the maximum possible. The server copies that much data from memory into the response. It may send passwords, encryption keys, etc. When happened when? OpenSSL released March 2012 Publicly reported as vulnerable 1 April 2014 Patch released 21 March 2014 (Some fixes had already been put in place then) First proven attempted exploit 8 April 2014 Intentional vulnerability test 12 April 2014 How may sites are vulnerable? (After vulnerability was reported publically) How may sites are vulnerable? A list the top 1,000 most popular web domains and mail servers that remain vulnerable. https://zmap.io/heartbleed/ What should you do? Change all passwords as soon as you can. Find out which sites are vulnerable On vulnerable sites that have been patched: Old passwords may be compromised On sites not yet patched (ask about current status): New passwords may become compromised, so change them regularly On sites not affected: Was same password used elsewhere? Which sites are not affected? Almost all financial service sites are OK. Amazon BCPL Dell Ebay Erickson Gcflearnfree Haband MS Live ID Mychart, (Erickson) PayPal US Treasury Which are common patched sites? Dropbox Facebook Google Netflix Norton Skype Wikipedia Yahoo Site List http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ Search for site https://lastpass.com/heartbleed/ How do I manage? Use a Password Manager, free - LastPass Use a LastPass account, import your existing passwords or save newly generated ones. A good way to manage passwords in Windows, includes an IE installer. Supports Internet Explorer 8+, Firefox 2.0+, Chrome 18+, Safari 5+, Opera 11+. http://www.pcmag.com/article2/0,2817,2407168,00.asp https://lastpass.com/misc_download2.php What does your son/daughter know? • Keep a separate, up to date record of your passwords in a safe place. • Make sure your designated representative knows where that record is.