On April 7, 2014 a computer software vulnerability was made public by the organization responsible for maintaining the software. Along with the public notice, a software patch or fix was made available that removed the vulnerability.
The vulnerability coined name was Heartbleed Bug. It officially tracked as CVE-2014-0160.
The creation of tsunamis is the potential aftermath of any earthquake. Internet users need to be aware of potential tsunamis of compromises that are possible from Heartbleed Bug.
A vulnerability is a weakness or hole in security. The security hole can be in the hardware or the software. What is accessible through the hole is of concern.
Vulnerabilities can exist in one type of computer (i.e. Windows XP) or all computers Apple MAC, Linux, Android, etc. A vulnerability with one or more available methods that take advantage of the weakness are called exploits. A system with a vulnerability that has been exploited is considered compromised.
A simple analogy is made using a wallet. Your wallet is vulnerable sitting on the kitchen table. If the front door is unlocked, the wallet vulnerability can be exploited. If an intruder opens the door and accesses the wallet taking credit card numbers, the wallet sitting on the kitchen table has been compromised. Removing the wallet from the kitchen table or locking the front door are ways to patch the wallet vulnerability.
Why should a user be concerned if the vulnerability is fixed? The concern is window of vulnerability. What was the length of time from the public notice until the vulnerability was patched or fixed?
It would be ideal if a vulnerability was patched before the vulnerability was made public. That would make the time of the window of vulnerability zero. That is not always possible.
An example is Revenue Canada. They estimates the window of vulnerability was 6 hours. In that time the agency estimates details on roughly 900 social insurance numbers was taken.
The Heartbleed Bug was a programming error in communication software that was responsible for protecting the privacy of attributes like user id’s, passwords, and other private data between you and the website you are accessing. A secure website has a lock icon in the browser or an s at the end of http in the browser address bar. A site using https communication software or protocol protects the data from being read by other parties.
How technology works is of little concern to users as long as it works. Very few users can tell you if the site they are using is secure or not. Sites that exchange information like credit card details will use some secure method to exchange data. If those sites were using the vulnerable software, they were at risk of compromise.
The reasoning that supports the belief a tsunami is coming from the Heartbleed Bug is the widespread use of the vulnerable software and how few organizations are releasing details. To date, I have received no notices from my bank or any organization I did internet transactions with. I am concerned about the roughly 900 reported by Revenue Canada because I was using the CRA website during their reported window of vulnerability.
There is a mistaken belief that the vulnerability window is the time from the public notice until the fix was installed. What time length was the vulnerability in the wild before it was discovered and the public notice was sent out? What was the length of time for the vulnerability window on bank websites, financial institutions and sites that support credit purchases? Were there any nefarious organization exploiting the vulnerability before it was even known?
The ubiquitous nature of this once again secure communication software is not limited to just personal computers. Revenue Canada is being harangued in the media over its suggested poor management of the issue. The agency has been releasing details to the public.
To assist their users in protecting themselves, releasing information is a very good thing. Releasing information also provides the opening to be criticized.
What about other organizations that are using the software and haven’t said anything? I believe that is the possible tsunami yet to come.
We rely on secure software to keep personal data safe. If there is a breach of this system, personal info will undoubtedly be at risk.
As a victim of identity theft a few years ago, I can tell you the experience is like a bad game of snakes and ladders. The theft of my identity has never given me any ladders to get ahead in the game, but it sure has provided, and continues to provide snakes that I slide back on that would rival the Narcisse snake dens of Manitoba.