Experts Discuss The Heartbleed OpenSSL Bug

"On the scale of 1 to 10, this is an 11," wrote security expert Bruce Schneier in a blog post this week. He was referring to Heartbleed, the devastating two-year-old bug that was only revealed Monday. Join Co.Design senior writer Mark Wilson for a live discussion with security expert Wayne Jackson and RedMonk analyst Donnie Berkholz about the implications of this vulnerability on Wednesday, April 9th at 3pm ET.

The discussion will begin at 3pm ET on Wednesday, April 9th (scroll to the end of this page to submit your questions to the chat). Until then, be sure to read Fast Company writer Chris Gayomali's explainer on the Heartbleed OpenSSL bug. Here are the basics:

WHAT IS HEARTBLEED?
It's a bug in OpenSSL encryption, a software library that Google, Facebook, Yahoo, Amazon, and a very big chunk of world's biggest websites use to secure the transmission of private information. The average user is probably unfamiliar with OpenSSL, but it is represented in your URL bar by the little lock symbol, next to HTTPS. Essentially, the exploit gifts hackers and cybercriminals a skeleton key to a hidden world of private data. They can waltz in, reach into a grab bag of secure information (emails, IMs, passwords, etc.), and walk away without a trace.

HOW WIDESPREAD IS IT?
According to Schneier, about half a million websites have been made vulnerable to attack. Although the exact extent of the damage is unclear, security experts say this is exactly the kind of easy vulnerability hackers have a field day with. "It affects two-thirds of the Internet's infrastructure," Wayne Jackson, security expert and CEO of Sonatype tells Fast Company. "I don't think this is all that different from bugs that we see that get reported. It's just that this one is foundational."

HOW IS THE PRIVATE DATA GATHERED?
Heartbleed allows hackers to reach into the exchange of private computer memory handled by OpenSSL, allowing them to pull out information en masse. What gets pulled out is randomized: Sometimes you'll get something benign, like a timestamp. Worst case is they'll get something like the encryption key itself. It's like a private-data piñata.

3rd & 7 37yd

Hello everyone! Thanks for joining us today. We'll be starting in just a few minutes.

by Mark Wilson 4/9/2014 6:57:13 PM

Comment ()
Mark: Buy good insurance.

by summers 4/9/2014 7:50:34 PM

Comment ()
One of the most important things that you can do is to keep a running inventory of the applications that you have and the components of which they are comprised (their 'bill of materials'). Having that, you will be able to much more quickly determine whether or not you are affected by a new disclosure and whether you should take any action in response.

by Wayne Jackson edited by Mark Wilson 4/9/2014 7:52:08 PM

Comment ()
Here's a FANTASTIC question from the audience, that I believe was asked entirely in one breath:

by Mark Wilson 4/9/2014 7:53:15 PM

Comment ()
That's an intriguing question. I could definitely envision a future where everyone's private information will be for sale, whether it's through that person directly or through the black hat who stole it and is selling it on an underground site. I don't see who would be motivated to open up everyone's private information without making a profit off of it, though.

by Donnie Berkholz 4/9/2014 7:55:20 PM

Comment ()
In short, I doubt it (but only *doubt*). Though, I do think we need to take precautions that assume that it could happen. Apologies in advance for sounding like I'm a shill for Lifelock but I subscribe and have found it useful. I also avoid uninsured accounts and review all of my bank and credit card statements.

by Wayne Jackson edited by Mark Wilson 4/9/2014 7:56:43 PM

Comment ()
Alright, and we have one last question to take from the audience:

by Mark Wilson 4/9/2014 7:58:08 PM

Comment ()
For one, I think we need to recognize that the way software is made has changed dramatically over the last few years. Modern applications are very modular, more assembled than written, and beyond keeping a record of what parts (like OpenSSL) have been used, we need to encourage developers to know the quality of the parts that they're using from the beginning. As I noted earlier, we see organizations using open source components with known, patched security defects with surprising frequency.

by Wayne Jackson 4/9/2014 8:03:12 PM

Comment ()
This exploit was a particularly difficult one to learn from, because it was so untraceable in action — even after the fact. One major area of improvement from my point of view was in the initial publication. It was pushed forward by 2 days, which resulted in quite a bit of confusion from vendors trying to coordinate updates. The fact that some 95% of the top 10,000 websites are secure within just a couple of days is actually quite impressive.

by Donnie Berkholz 4/9/2014 8:04:36 PM

Comment ()
That's a great point, and it's time for us to wrap up. Thanks to you both for joining us for the chat today!

by Mark Wilson 4/9/2014 8:06:34 PM

Comment ()

Homepage

COVID-19

Co.Design

Tech

Work Life

News

Impact

Podcasts

Video

Recommender

Subscribe

Deloitte

Facebook

Grail

Honeywell

Lenovo

Visa

FastCo Works

Fast Government

Most Innovative Companies

Most Creative People

World Changing Ideas

Innovation By Design

Most Innovative Companies Summit