Heartbleed Implications

heartbleed

Computer security has become very important nowadays, with various hackers and those who want to steal personal information from others, it’s natural to be cautious of how secure your information is.  That is why, when the Heartbleed bug was discovered, people started to worry about their personal information being stolen.  This incident was big enough to garner nation-wide attention.  In short, what Heartbleed could allow is for attackers to be able to gain small bits of information from affected servers over and over again to the point where they would grab important, and possibly personal, information.  Furthermore, it is undetectable.  In other words, not only could you have had your information taken from you without you knowing, but there would be no trace of any kind of breach.  We have seen security flaws in the past, but only a handful on the same scale as the Heartbleed incident.  Normally, when a company detects a security flaw, they are able to release a patch to fix the problem, and then continue their operations on a normal basis.  But when looking at the Heartbleed incident, it makes you wonder what kinds of other flaws there could be lurking in the computer security world.

Heartbleed is the name of the security flaw discovered in OpenSSL, a widely-used, open-source security protocol used in servers which gives a website’s server a layer of security, such that it would make it difficult for third-parties and hackers/attackers from stealing your important information.  Basically, it is used to help protect your personal data, such as your social media accounts or websites that might contain personal information, such as your address and credit card information.  However, with the existence of the Heartbleed bug, attackers would be able to run simple software to make affected servers “leak” data from the memory.  As it turns out, however, a couple of years ago, a security flaw was programmed into the OpenSSL, which was unknown to most people, then used by the websites that use OpenSSL.  Overall, the flaw went undetected for these past two years.  As a legitimate threat, it is probably at this point where people would ask themselves if they were affected by this and if they should be changing their passwords.

Heartbleed was first discovered by the company Codenomicon, a Finnish company whose programmer’s are credited as the first to discover the Heartbleed bug.  They had discovered it while testing their Safeguard program, which helps them find vulnerabilities in the target servers, which in this case was their own.  To their surprise, when they discovered Heartbleed and attacked their own servers, they were surprised to find how easy it was to take personal data from the servers, while leaving no trace of them even touching said server. Now, the question is, how did this go undetected for two years?  Well, you can simply attribute that to the fact that the flaw was buried in the code.  This could be a valid reason to a certain extent.  Writing code can become confusing and complicated at some point, especially if the code becomes very large.  You could run it multiple times, or read the code over and over again, before you find out why it does not do what you intend it to do.  However, in this case, it can also be look at it from the standpoint that this mistake was made by a professional.  The fact that it went undetected for two years, it would not be surprising if people picked on that.

Given what Heartbleed has done, as well as what it still is, a common question that is probably running through many people’s minds is if something like this might happen in the future.  Computer security is widely used in various industries, all relying on it to make sure that all important information is held confidential.   But to write the code that goes into OpenSSL, you can imagine how labor-intensive it can be.  On top of that, the programming team consists of all volunteers.  Putting both facts together, it simply means that they are a group of people who are constructing this project for free.  The advantage of having something like this as an open-source project is that the many clients that use it might see something that the project’s programmers did not, or at least, theoretically.  But of course, you cannot expect your clients to have the same eye for programming as the actual programmers.  But, overall, let’s look at it like this: if something similar to the scale of Heartbleed happens again, one must wonder about people’s faith in modern security.

At this point, companies that have affected servers and websites are pushing out patches to fix their exposure to the Heartbleed bug.  To assist people with notifying which websites were affected, mashable.com compiled a list of websites that were affected by the Heartbleed bug, which was last updated on April 19, 2014.  The list includes popular social media websites, such as Tumblr and Instagram, and big companies, such as Google and Yahoo.  Other categories include commerce, financial, and government websites.  In general, if the website was exposed to the Heartbleed bug, it is widely advised that users of those listed services change their passwords.

Overall, with the way that Heartbleed ended up becoming, it ended up triggering a nation-wide concern regarding computer technology and security.  However, something interesting to note is that, under normal circumstances, the Heartbleed bug is considered to be an average security flaw.  In fact, it seems that it would have been looked at as “minor” if it was caught a couple of years ago, when the upgrade to OpenSSL was implemented.  When you take a look at it in a deeper sense, something like Heartbleed is not exactly a new concept to the computer security industry.  To be more specific, past security exploits were possibly not in the form of what Heartbleed is, but security flaws are not exactly new to the security industry.  For example, take the breach in Target’s security that happened in November and December of 2013, in which a total of approximately 110 million customers were affected by a security breach that saw their personal information, including debit and credit card information, stolen.  The only difference is simply that this was limited to Target only, while Heartbleed affected two-thirds of the websites that use OpenSSL.  Overall, this seemed like it was a good wake-up call for the world.  Not saying that this was in any way a good thing, but because of this, it alerted us to the potential flaws in computer security.  If you can look back at the Heartbleed incident as an experience, then maybe it could be that next step in shoring up other areas of computer security that need attention.  But, only time will tell if that can really be the case.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: