What do you know of this virus and which sites have been affected?
CBC has troubling info on this.
http://www.cbc.ca/news/technology/heartbleed-web-security-bug-what-you-need-to-know-1.2603988

All I know so far is that my brother who works in high level IT says it's a real concern and that Revenue Canada isn't doing any online stuff (electronic tax returns) currently.

Oh great.

The vulnerability was revealed this week and a patch is available already. It must be applied at the Server end, not by us poor saps. What can we do? Same as always:
- change passwords regularly
- use a strong password
- review statements regularly

Anyone with lots of money and doing online banking might be a desirable target, but for most folks I do not think this is anything to worry about; rather, worry about debit scams at point-of-sale, that's more likely.

From the CBC article:
"This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users,"...

Sounds like what are very own national security services are doing already.>:(

Also, don't share passwords on multiple sites.

Personally use a password vault, keepass, that stores them encrypted and also randomly generates them so that you use completely random ones.

Ugh, DH is installing a password keeper now and the next evenings and/or weekends will be changing pwords. He *says* long pwords are best, whole random sentences are ok. In contrast to other info which makes you come up with something unrememberable. The best thing I've come up with is figuring out a connected song lyric and using like the first letter of that. Then you get an ear worm each time you log in tho....

Some sites using passwords stipulate that it be about 8 characters and other much longer. I need more info about the password keeper options if anyone can share. I looked up 'keepass' and it sounds interesting. How can I be sure that it is secure in today's world?

My sister recommended keepass. She has worked in computer security for many years so I trust her opinion. Also, I believe it's open source software, so anyone can review the code and look for nefariousness.

First off, know that I alerted Alan & Iris Lily to this first thing this morning (Pacific time) and Alan verified that the SLF log in does not use HTTPS - which is the encryption method that has the vulnerability. However, goDaddy hosts our website, and it was vulnerable, and they have patched that vulnerability (http://godaddyblog.com/open-ssl-heartbleed-weve-patched-servers/). Not that SLF stores any sensitive data of yours on the server, but I think it's wise for people to change their passwords just as a precautionary measure (and I'll post this recommendation in other appropriate areas.)

Secondly, you should not take this lightly, a la gadder. As far as I can tell from the limited reporting so far, this vulnerability has been active for possibly up to two years (when the vulnerable version of the software was published.) Any website that you logged in to that uses HTTPs:// may have been compromised. So I would advise you to check the websites on which you are registered and may have logged in. just going in and changing your password will not necessarily protect you -- UNLESS you know that the website has applied the upgrade that closes the back door. Otherwise, you're just giving the hacker your new password. So before you log in anywhere, go to the place on the site where they give news updates, or support, or contact them directly to check if they were vulnerable to Heartbleed in the first place, and if so, have they fixed it. And if so, in addition to changing your password, review what transactions you may have done through that site. If a sensitive-data transaction has occurred there in the last two years, be on alert that information may have been compromised.

Today I checked the online banking user agreement for Wells Fargo. WF was NOT vulnerable to this attack, but I was just curious -- looks like their new online banking user agreement (which I have never agreed to, though they tell me they will cut off access if I don't) says that users have no claim against them if they are robbed as a result of accessing online banking. I imagine other banks agreements may say the same. So don't think that the bank will take care of you -- as the Russian proverb goes, so often attributed to Reagan: Trust, but verify!

Krebs on Security had a good article about this today. He recommends several links that can check if a site is safe or not.

http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/#more-25638

http://filippo.io/Heartbleed/ This is the first site suggested for testing. If it comes back with the result that it was unaffected or has been fixed, then I would recommend changing your password for that site. If it says the site has the heartbleed problem then don't log in, and keep checking to see when the site is fixed, and then change your password.

Krebs on Security had a good article about this today. He recommends several links that can check if a site is safe or not.

http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/#more-25638

http://filippo.io/Heartbleed/ This is the first site suggested for testing. If it comes back with the result that it was unaffected or has been fixed, then I would recommend changing your password for that site. If it says the site has the heartbleed problem then don't log in, and keep checking to see when the site is fixed, and then change your password.

Depending on your level of worry on this issue, you may want to change passwords anyway. This bug has been around for a while, there is the potential that hackers have been collecting data long before sites were fixed.

The vulnerability was revealed this week and a patch is available already. It must be applied at the Server end, not by us poor saps. What can we do? Same as always:
- change passwords regularly
- use a strong password
- review statements regularly

Anyone with lots of money and doing online banking might be a desirable target, but for most folks I do not think this is anything to worry about; rather, worry about debit scams at point-of-sale, that's more likely.

From the CBC article:
"This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users,"...

Sounds like what are very own national security services are doing already.>:(

Any bug can be exploited:
http://www.youtube.com/watch?v=wwRYyWn7BEo

That said, ones firewalls/nat boxes could also be affected. Most people only think of a server as somebody else's box.

http://xkcd.com/1354/

A really simple explanation of how heartbleed does it.

Good thing our boys at the NSA were all over this, keeping America safe!

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

Good thing our boys at the NSA were all over this, keeping America safe!

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

Very disturbing to read this article. What else don't we know about yet?

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

A list of popular websites detailing which were affected by heartbleed and whether they've been patched or not.

Lots of sites needed to be updated. Thanks, JPL

UGH just tried to change my password at the VA site that houses ALL my personal data (name, SS#, birthdate, medical records, etc...) and for some reason I wasn't able to do that. Anyone know if those kind of government agencies are effected by this too?

UGH just tried to change my password at the VA site that houses ALL my personal data (name, SS#, birthdate, medical records, etc...) and for some reason I wasn't able to do that. Anyone know if those kind of government agencies are effected by this too?

Best email tech support. Some agency's use open source which the bug in question was in, while a lot use proprietary (Unix) type systems.