The Information Age
Heartbleed bug could compromise personal data
By Peter Newell

By now you have probably heard of the Heartbleed bug and may be concerned about whether or not it affects you.

The primary thing to understand is Heartbleed is not a virus. Your computer cannot be infected by it, which is a good thing. However, this also means your antivirus program can't detect it; therefore you have no easy way of knowing whether or not the security of any of your information has been compromised.

Even though Heartbleed is not a virus, you could have a problem with the device you use for Internet access. In particular, if you have a phone or tablet running Android 4.1.1, your device is vulnerable to attack. According to, recent estimates pin the number of vulnerable devices at about 50 million.

Heartbleed is a vulnerability in some versions of OpenSSL (Secure Sockets Layer), a method for providing security by encrypting data sent over the Internet. It is widely used on web sties that require you to enter sensitive personal information.

The vulnerability allows an attacker to read the memory of affected systems. Hackers could access user names, passwords, or even the secret cryptographic keys of the server. This would enable them to observe all communications on that system, allowing further exploit.

If you visited a web site in the last two years that used an affected version of OpenSSL, your personal information could be compromised.

Heartbleed is a serious potential security risk and has made the headlines recently. However, my research has turned up almost no instances of confirmed actual security breaches. According to TrendMicro, "there have been no successful Heartbleed attacks documented to date, but that does not mean they have not happened."

The only specific reported instance I have found is a compromise of 900 taxpayer accounts at the Canada Revenue Agency. Computer scientists at the University of Michigan said the Heartbleed bug had been used by 41 groups to access data that was put on the Internet as a test.

One report said the top 1,000 sites on the Internet are safe and only 53 of the top 1,000 were found to still be vulnerable. Another stated that although 66 percent of sites use OpenSSL, as of April 8 only 17 percent were susceptible, meaning only about 11 percent of sites overall are susceptible.

So it looks to me that although the potential for compromised personal data is real, the chance your information has been or will be compromised is fairly low.

This does not mean you shouldn't take precautions.

Norton advises that you change your passwords on any website that contains sensitive information, after confirming that the site does not contain the Heartbleed vulnerability. If you've reused passwords on multiple sites, it's especially important to change them.

Use the tool at to check the website first.

As always, beware of phishing emails. Type website addresses directly in your browser instead of clicking on a link in an email.

Also monitor your bank and credit card accounts for unusual activity, which is always a good idea.

Note: Pete Newell has provided professional computer services for 35 years. He can be reached at (315) 376-8879 or through