Magazine article Information Today

What Heartbleed Means for the Future of the Internet

Magazine article Information Today

What Heartbleed Means for the Future of the Internet

Article excerpt

The World Wide Web in 2014 isn't exactly a house of cards, but it isn't Fort Knox, either. The exposure of OpenSSL's Heartbleed vulnerability in early April signaled a shift in our perceptions of internet security and stability. It prompts a different and more troubling conversation than other recent, high-profile breaches, such as Target's, have.

Target's hack, which put the financial and personal data of 110 million shoppers at risk, was a result of poor security and human error. Security journalist Brian Krebs, who first broke the Target hacking case, eventually concluded that a heating, ventilation, and air conditioning (HVAC) company in Pennsylvania employed by Target became infected with password-stealing malware. The hackers were able to leverage the pathways they gained through the HVAC company to Target's external billing system, which was then likely used to access Target's corporate network.

With proper vigilance, Target's hack might have been prevented. For example, security analysts suspect that the malware-laced email sent to the Pennsylvania HVAC company was part of a shotgun blast of phishing attacks on many potential victims, which could have been avoided in the first place with proper email scrutiny.

Similarly, the HVAC company was using a free edition of Malware bytes Anti-Malware, which does not provide real-time protection against malware and can only detect threats when a human asks it to perform a scan, putting responsibility on a person who may not notice anything wrong at all. The hackers reportedly had access to the company's systems for 2 months before they began to steal data from Target, which suggests the data breach was not necessarily intended to attack the discount retail giant.

Although gaining access to the Target credit card data was by no means an easy feat for the hackers, it was one that was ultimately preventable at several steps during the process. Unless that same HVAC company had access to other similarly hackable billing systems, it's unlikely that its individual security flaws would lead to breaches of any more major companies. But while the Target hack was something that affected shoppers of only one giant company, the Heartbleed bug, and the vulnerability it presented, reveals a weakness in the shared infrastructure of the internet itself.

A Faulty Heart

To understand why the Heartbleed bug was worth the headlines it generated, it's important to appreciate what's at stake when OpenSSL is compromised. OpenSSL is an open source toolkit that applies the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and a cryptography library to secure exchanges of information on the web. "Essentially, think of the technology as that little lockbox up in the corner of your web browser when you're entering confidential information," says Jim Zemlin, executive director of the Linux Foundation. "You see that lockbox and you know that information you're sending over the internet is secure and encrypted."

OpenSSL, along with other protocols, is critical for the secure exchange of information for the websites that rely on it, which include facebook.com, google.com, yahoo.com, youtube.com, netflix.com, and health care.gov. Figures of affected websites are reported as high as 500,000-plus.

An implementation flaw made websites running OpenSSL versions 1.0.1 through 1.0. If vulnerable to attacks by malicious actors, who could extract chunks of private memory. This led to the possible exposure of users' personal data. Exploiting the flaw in OpenSSL, hackers were able to get more out of a heartbeat (a check to make sure the connection is still open) than they should've been able to, up to 64K of memory content from the client or server. An individual heartbeat with that 64K of memory returned could contain nothing, but repeated heartbeats might yield unencrypted network traffic.

Heartbleed and You

So far, only one person has been publicly identified and charged with a Heartbleed-related crime--a 19-year-old computer science student attempting to steal data from the Canada Revenue Agency (CRA)--but security analysts and white hat computer hackers have proven the exploit's danger by obtaining protected information themselves. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.