Heartbleed: Good News, Bad News

Heartbleed Server

Heartbleed: Good News, Bad News
| Published Friday, April 11, 2014 |

By R. Alan Clanton
Thursday Review editor

The good news: the computer vulnerability known as Heartbleed has a really cool, and original, logo. How many viruses, bugs, Trojans or malware devices have that?

The bad news: we’d better get used to that snappy logo, because hundreds—maybe thousands—of computer and security experts now think Heartbleed could get much worse.

Originally thought only days ago to affect primarily data sent between you (using your computer or smartphone) and the file servers you do business with at banks, credit unions, online services and email platforms, Heartbleed may also place individual smartphones, laptops, computers and email accounts at risk. Smart hackers could (and many analysts stress the word could) use the security gap to steal almost anything they want, bypassing even the best firewalls and security systems to do it.

Heartbleed, we learned this week, is a vulnerability affecting conversations and handshakes (sometimes referred to by computer geeks as “heartbeats”) between individual computers and any system using something called OpenSSL. OpenSSL is a highly popular code used in thousands of places, and among other skills, was designed to maintain a secure conversation between Point A (you) and Point B (the server your computer is chatting with). Heartbleed exploits a small defect in that code, allowing a third party (the hacker) to pretend to be you. Mainstream media reports on the bug began a couple days ago, and most computer and malware experts said the prudent thing average Janes and Joes should do is change their critical passwords—a logical and reasonable step to take periodically anyway.

In fact, most security wonks say everyone, everywhere, should get into the habit of occasionally changing passwords and PINs on a regular basis, and many businesses have IT personnel whose jobs include making sure those changes get made each quarter or each month, whether employees like it or not.

But Heartbleed, like the vulnerability that allowed a Russian teenager to design a back-door approach to entering retail giant Target’s credit card and debit card system, has gone largely unnoticed for nearly two years. Though Heartbleed makes grabbing information slow (it apparently allows for the theft of data in only 64k packets), savvy hackers may have already used the bug to steal buckets of data simply by writing code that repeats that 64k shoplift over and over again. Once downloaded, it would then simply be a matter of time before something critical could be culled from that bucket of information.

Once the news broke this week, hundreds of major companies, especially tech-savvy firms, immediately implemented fixes. Downloads were available which included a patch to correct the problem. Most online heavyweights—AOL, Yahoo, Amazon, Verizon—informed their users and their customers that they were working speedily to resolve the vulnerability and close the gap. Many customers were advised to immediately change passwords, and even, in some cases, usernames and security question responses.

Some security analysts worried not so much about the major players like Amazon, Google, Microsoft or Yahoo, but the thousands of smaller and midsized companies that lack a proactive computer or IT team, or who may farm out such functions to a vendor less accountable than their own staff. Banks, credit unions, individual investment offices, mortgage lenders, even doctors and dentists, may have reams of digital data at risk—in many cases information which includes social security numbers, addresses, direct deposit information, bank account numbers, phone numbers. Collected even in relatively small packets, such information could easily be used for widespread identity theft and fraud.

Because Heartbleed allows intruders to enter and leave without any evidence of a hacker being present, the fear is that data could have been stolen up to two years ago. Who Is, a major domain name provider and web host service, said in an email “the Heartbleed bug makes it practically impossible to detect history of abuse, but to be on the safer side, we strongly recommend that you change your customer account passwords.”

But now we learn that some of those patches used to correct the problem as early as Monday night but have been insufficient to fully close the gap. Further, OpenSSL is in fact found in many more places than originally estimated by experts early in the week. Many of those same big companies may still be at risk, and may still be placing their users and customers at greater risk, even after passwords have been changed.

Thursday Review emailed a contact with a computer and data storage company in Tampa, and that IT insider—who asked us not to identify her by name for the purposes of this article—said that Heartbleed is much worse than the public realizes. She suggested that this misinformation is not so much the result of conspiracy or deliberately misleading news reports, but more the result of many companies and computer firms being unclear on what steps to take to effectively close the gap. “Right now there is no magic fix,” she said in her message, “and like everyone else we are waiting for Intel or Norton to tell us what to do next.”

Thursday Review received emails yesterday from several of our own web hosting and domain name providers, assuring us that there tech people were working feverishly to resolve the problems. All three of the companies we work with use OpenSSL, and at least two announced major overhauls of security systems over the weekend.

And to make matter worse still, some security experts are telling us today that the bug can also affect other applications beyond OpenSSL, originally thought to be the only process directly vulnerable to covert entry. Also affected are browser tools OpenVPN and Tor, as well as several applications which are commonly used on Samsung’s popular Android phones.

Our contact at Google, who prefers his anonymity for the purposes of this article, suggests that internet users and smartphone users simply refrain from major activity for a few days—limiting online banking and other web transactions—or at least until all of the major fixes and patches have been confirmed by McAfee, Norton and Intel.

Related Thursday Review articles:

How Bloody Will Heartbleed Be?; Thursday Review staff; Thursday Review; April 9, 2014.

Can You Protect Yourself From Credit Card Fraud?; Thursday Review; January 11, 2014.