Internet security: Heartbleed – why you only need to worry a bit

By on April 14, 2014
heartbleed

If you haven’t heard, the IT fraternity is panicking about a massive flaw in internet security software, called Heartbleed, which was discovered recently. The problem is serious, but not as bad is everyone is making out, according to Martin Keegan.

Internet firms announced arguably the most serious security problem the global network has seen, nicknamed Heartbleed: For the last two years, many users’ secure connections have not actually been secure at all.

But secure from what? Secure from whom? Is there a cat-stroking supervillain holding the moon to ransom while collecting our online banking passwords? Are the risks a bit closer to home, or is this all just marketing for some snake oil firewall software?

What has happened is that a widespread piece of software, OpenSSL, had a bug in it. OpenSSL provides the ability to make connections over the internet secure. Secure here means that no-one can read what is being communicated or change or delete it, and that there is some degree of certainty about the identity of the one person or computer on the other end of this connection.

This software is maintained by a small group of underfunded experts, but nevertheless is critical to the secure operation of almost every internet-connected server, desktop, laptop, and mobile device.

OpenSSL makes no money. It is given away to users for free, as are the blueprints. That allows the boffins to look under the hood to check it really works. They did check. It wasn’t working. What would happen if people couldn’t do these checks doesn’t bear thinking about.

Businesses across South Africa currently have little choice but to rely on the current community of internet standard-setting bodies, volunteer-run software projects, and security bug grapevines. These sorts of systems have many of the problems of the financial industry, such as a potential market in insider information and over-sold protection products.

The situation is improving by the day, as the Heartbleed chaos has motivated reform and better funding for OpenSSL. It has also led to some public recriminations between operating system vendors and the internet standards bodies that design these secure protocols (of which OpenSSL is just the most widespread implementation).

Some have gone as far as to insinuate that the protocols have been made deliberately insecure by people working for national security agencies, though the burly bloke in the sunglasses who’s just shown up in my office assures me that this is not the case.

For the last two years, it has been possible for (some) people to read passwords, online banking details, and private email messages sent over the internet, as though we had all been dictating confidential letters and then discovered they had been sent as postcards rather than in envelopes.

As yet, it hasn’t been proved that anyone has done so, but a lot more people now know that they can. In particular, it means it is much easier for a determined thief to impersonate you or your bank to each other online, take some of your cash, and leave you and the bank to fight it out in court.

What businesses need to do about this is upgrade the system software on all their computers, including mobile phones, and get their employees to change any passwords which matter. Unlike previous security bloomers, there’s no published list of passwords doing the rounds on the Net, so it is important, but not urgent to shut this particular stable door.

Businesses need to manage the upgrades and password resets for all the computers and people affected, but they do that as a matter of course; the tradeoffs for delay are just a bit different this time.

These internet vulnerabilities transform the economics of online fraud: Change your passwords to make them pick on someone else. Heartbleed is perfectly serious, even if has been somewhat overhyped. The necessary countermeasures are fairly straightforward, and hopefully they will increase awareness so more people can protect themselves.

Martin Keegan is a freelance software programmer who worked as Head of IT for British various software firms.

You must be logged in to post a comment Login

Leave a Reply