I’ve been receiving a bunch of questions on this, so let me try and summarize things a bit…

What you need to know:

Any website running OpenSSL (Versions 1.0.1 – 1.0.1f) are at risk. This is the software that creates a secure encrypted session with a given webserver (for example – online shopping or banking). OpenSSL is said to be running on 66% of all Internet servers.

The simple gist of the vulnerability allows an attacker to send a message to a webserver and receive back a portion of memory that is being used to run the server. The bit of memory could contain usernames, passwords, encryption keys, etc. If run multiple times, a great deal of sensitive information could be gathered and used for evil purposes.

The term heartbleed was coined because the message being sent is a heartbeat or keep alive packet, for a secure connection, that allows for a secure connection to stay open and ultimately bleed out any vital information.

Action needed:

• Upgrade any old versions of OpenSSL installations in your environment – (https://www.openssl.org/) For example: Servers, Firewalls, VPN concentrators – pretty much anything that uses a secure web connection with OpenSSL.

• If not contacted directly to do so, consider changing your password on sites that have been effected by the vulnerability. There are links below to help figure that out.

• Ignore attempts from phishers or other scam artist to reset passwords or patch systems

Useful links:

The site dedicated to the entire issue: http://heartbleed.com/

For a technical explanation, watch this video: http://vimeo.com/91425662

The actual MITRE listing is here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Here is a list of sites that could be effected: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link

Here are a few tools to determine if a site has the heartbleed bug:
https://lastpass.com/heartbleed/
http://heartbleed.criticalwatch.com/
https://www.ssllabs.com/ssltest/

I hope this helps!