Experts Discuss The Heartbleed OpenSSL Bug
"On the scale of 1 to 10, this is an 11," wrote security expert Bruce Schneier in a blog post this week. He was referring to Heartbleed, the devastating two-year-old bug that was only revealed Monday. Join Co.Design senior writer Mark Wilson for a live discussion with security expert Wayne Jackson and RedMonk analyst Donnie Berkholz about the implications of this vulnerability on Wednesday, April 9th at 3pm ET.
WHAT IS HEARTBLEED?
It's a bug in OpenSSL encryption, a software library that Google, Facebook, Yahoo, Amazon, and a very big chunk of world's biggest websites use to secure the transmission of private information. The average user is probably unfamiliar with OpenSSL, but it is represented in your URL bar by the little lock symbol, next to HTTPS. Essentially, the exploit gifts hackers and cybercriminals a skeleton key to a hidden world of private data. They can waltz in, reach into a grab bag of secure information (emails, IMs, passwords, etc.), and walk away without a trace.
HOW WIDESPREAD IS IT?
According to Schneier, about half a million websites have been made vulnerable to attack. Although the exact extent of the damage is unclear, security experts say this is exactly the kind of easy vulnerability hackers have a field day with. "It affects two-thirds of the Internet's infrastructure," Wayne Jackson, security expert and CEO of Sonatype tells Fast Company. "I don't think this is all that different from bugs that we see that get reported. It's just that this one is foundational."
HOW IS THE PRIVATE DATA GATHERED?
Heartbleed allows hackers to reach into the exchange of private computer memory handled by OpenSSL, allowing them to pull out information en masse. What gets pulled out is randomized: Sometimes you'll get something benign, like a timestamp. Worst case is they'll get something like the encryption key itself. It's like a private-data piñata.
-
Hello everyone! Thanks for joining us today. We'll be starting in just a few minutes.
-
One of the most important things that you can do is to keep a running inventory of the applications that you have and the components of which they are comprised (their 'bill of materials'). Having that, you will be able to much more quickly determine whether or not you are affected by a new disclosure and whether you should take any action in response.
-
Here's a FANTASTIC question from the audience, that I believe was asked entirely in one breath:
-
That's an intriguing question. I could definitely envision a future where everyone's private information will be for sale, whether it's through that person directly or through the black hat who stole it and is selling it on an underground site. I don't see who would be motivated to open up everyone's private information without making a profit off of it, though.
-
In short, I doubt it (but only *doubt*). Though, I do think we need to take precautions that assume that it could happen. Apologies in advance for sounding like I'm a shill for Lifelock but I subscribe and have found it useful. I also avoid uninsured accounts and review all of my bank and credit card statements.
-
Alright, and we have one last question to take from the audience:
-
For one, I think we need to recognize that the way software is made has changed dramatically over the last few years. Modern applications are very modular, more assembled than written, and beyond keeping a record of what parts (like OpenSSL) have been used, we need to encourage developers to know the quality of the parts that they're using from the beginning. As I noted earlier, we see organizations using open source components with known, patched security defects with surprising frequency.
-
This exploit was a particularly difficult one to learn from, because it was so untraceable in action — even after the fact. One major area of improvement from my point of view was in the initial publication. It was pushed forward by 2 days, which resulted in quite a bit of confusion from vendors trying to coordinate updates. The fact that some 95% of the top 10,000 websites are secure within just a couple of days is actually quite impressive.
-
That's a great point, and it's time for us to wrap up. Thanks to you both for joining us for the chat today!