'Heartbleed' bug exposes age of vulnerability
It’s easy to fly through our connected days with a false sense of assurance of how secure our data is.
We pay with a debit card here, slide a credit card through there, fill in a web form or two while processing email — all with blind faith that the information will flow through the conduits of the cloud in the way it’s intended.
If we think much about it at all, it might be a fleeting thought that the creators of our data-handling systems are so concerned about the security of their systems that they will certainly work to make them as locked down as they need to be. And after all, we practice safe computing, we have virus-protection software on our laptops and the re-assuring little secure-lock symbol pops up on our browsers when we hit financial-transaction sites, so we’re safe. Right?
It turns out the answer might be no.
Every now and then we get a little splash of cold water in the face just to remind us how vulnerable we are. If the Target credit card security breach of late last year rattled you, the latest security vulnerability to roll into the news may make you downright paranoid.
The new vulnerability, officially named “CVE-2014-0160” or “The Heartbleed,” is well documented by well-known security firm Codenomicon at heartbleed.com and exemplifies new scales of risk.
The recently discovered flaw resides in an open source encryption technology used by many sites that support HTTPS secure website access (those that show a tiny lock symbol in the browser), according to reports.
Some of the mega sites out there might have avoided this vulnerability by using very specialized security practices. Still, there is a great irony to the vulnerability: it resides in some of the most current encryption technology. As the Heartbeat site said, “More progressive services . . . who have upgraded to the latest and best encryption software will be affected the most.”
The really bad news: up to two-thirds or all sites on the web might use the flawed technology, and it leaves you wide open. Based on early reports, Microsoft and Google did not have the vulnerability, while Yahoo! did. Yahoo! said it has since addressed the vulnerability.
The vulnerability allows anyone on the Internet with the right insights to access the memory and the encryption key used by the website supporting your session. With the capability, ill-intentioned exploiters can grab your data, eavesdrop on you and digitally impersonate you. Basically, most everything you’ve been doing might have been at risk.
Battling the bug
A fix has been made to the encryption code and is now available for sites to integrate. By the time you read this, it’s likely that the majority of the vigilant sites in the world will have already taken steps to incorporate the correction and avoid the problem in the future.
However, the issue can also impact network appliances and client-side software that make use of the OpenSSL library and transport layer security. In other words, the flaw extends beyond just the sites, so it’s more complex to fully address than many vulnerabilities, and plugging the hole everywhere will take some time.
As an end user of websites with this vulnerability, you are largely dependent on your site administrators to take steps to address it. Some of the steps you can carry out on an individual basis that may potentially help include changing your passwords, cleaning out session cookies and clearing any session and encryption keys.
The broader lesson we can all draw from Heartbleed is that we can't take security for granted. Use safe-computing practices, good anti-virus software and work to have at least a base level understanding of issues such as encryption. Use well-known safe sites and services on the web. If you control hiring decisions for your business, make sure your organization hires very good system administrators.
All of these increase your odds of staying safe. On top of all that, in this era, it doesn't hurt to keep your fingers crossed.