22 April 2014

Heartbleed overblown

The Heartbleed bug has to be taken more seriously than the Y2K bug since it is a security vulnerability, however like the Y2K bug, IT journalists are creating unnecessary panic and may even be assisting hackers by giving this software flaw undue media attention.

Security vulnerabilities are being discovered and fixed all the time — just browse the history of installed updates in Windows Update. Rather than just issue an immediate patch as is typically done with such vulnerabilities, this vulnerability was advertised with the unhelpful advice that users should either (a) change all their passwords, which will be exposed in instances where a patch for the Heartbleed bug is yet to be deployed on the server the new password is sent to; or (b) farcically, change their password for certain servers, but leave it unchanged for others — hard and fast rules that shouldn’t be blindly followed.

The severity of a vulnerability cannot be measured by its pervasiveness and theoretical potential for exploitation by malicious Internet users alone. What matters is the material cost to users and businesses as a consequence of data theft, which on the available evidence, was zero for Heartbleed (before it received publicity, that is.)

Heartbleed is a significant security issue that IT personnel must act on, but the response should include thoughtfully balanced advice about the broad range of risks that exist and the measures that should be taken to mitigate them.

Hackers continually exploit software security flaws to steal military and industrial secrets, but government agencies and corporations tend to avoid informing the public when these security breaches occur. Those with the most nefarious intentions will seek to achieve their financial, military and political goals using the most efficient means possible. A system will always have a number of vulnerabilities in the form of programming errors and users that are naive or complacent about IT security, and hackers will use the avenue that will yield the most results with the least amount of effort. Heartbleed has been around for a couple of years, during which time hackers stole sensitive information on millions of people using other approaches that were more conducive to data theft on an industrial scale.

Two-step verification, which has become standard for performing online transactions and can be enabled on many of the most popular websites such Gmail, isn’t getting mentioned because commentators are too busy trying to convince Internet users that Heartbleed is an unprecedented security disaster.