Information security is a constant game of catch-up. We get new technology capabilities, the bad guys find new vulnerabilities. They devise new forms of malicious assault, we come up with new defensive strategies. And so it goes. We know it, they know it, everyone knows it.
Why, then, is the bug known as Heartbleed getting so much attention?
Sure, no disputes that it’s at least potentially a very big deal. But one week into the discovery, Google turns up more than 530 million hits on the subject. The Electronic Frontier Foundation, among others, has labeled it “catastrophic,” and some have gone so far is to describe it as the worst vulnerability to be identified since commercial traffic began on the Internet. Is it really that bad?
Hype aside, here’s what we do know. Over the years, the open source community—basically, thousands of
Heartbleed, the big bad bug in the room, takes advantage of a feature within OpenSSL known as heartbeat, and essentially steals the security certificates that verify a site’s and/or user’s authenticity. The bug has been present but quiet for the past two years, during which time it has potentially undermined security measures for password encryption in a range of environments, from search engine and social networking services to Android devices.developers not beholden to any corporation in particular—have worked together to create much of the software many of us use today. One such program that most people with a life actually know nothing about is OpenSSL, which is very important, since it provides a means for security on web servers all over the world. With this technology, sites can offer encrypted information to visitors, ensuring that the data can’t be seen anyone else when it travels between the user’s device and a particular site.
After that the details get more technical and, sadly, far more murky. On the one hand, we’re being told that despite considerable scrambling on the part of security specialists at companies everywhere, the potential for major damage is very real. It potentially affects hundreds of thousands of Web sites, from Google and Yahoo to Twitter and Dropbox, along with hundreds of millions of users. By that measure, the level of effort needed to truly fix the problem is nothing short of monumental. On the other hand, it’s far from clear just how many sites or users have actually been affected. Challenges issued by security companies to steal information using the vulnerability—basically crowdsourcing digital theft—have so far come up mercifully short, indicating that the concerns, while valid, could be overblown. On the third hand, of course, we just don’t know.
One thing is certain: The old adage about regularly changing passwords, and not using the same one for multiple functions and services, applies now more than ever. The buzz over this recent episode has apparently prompted many users to rapidly change their passwords for all the online services and devices they use, and that’s good. But it would be even better if that became a habit rather than a reaction to much-publicized fears.
There’s a larger question here as well. The ubiquity of technology in every aspect of daily life, from social media to mobile banking apps, has perhaps seduced consumer sensitivity to the issue of information security. And that’s definitely not good.
Making technology capabilities ever more user-friendly carries with it a potentially steep price tag; the easier a service is for everyone to use, the easier it might be for the bad guys for to hack. On a related note, many of the more common services, from email to mobile apps, are free. That carries with it fewer guarantees of rock-solid security.
Many financial technology vendors are already stepping into to the breach to implement fixes for the Heartbleed bug. For their part, numerous commercial banks and other financial services institutions are raising awareness of the threat and running tests to ensure that their communities are not left unprotected.
But somewhere in this environment, consumers have a critical role to play too. Regularly changing passwords is a good start. As digital currency in all forms becomes more embedded in the mainstream, it would be wise to be more aware of security threats and more proactive in taking security precautions.