How Bloody Will Heartbleed Be?

Heartbleed servers

How Bloody Will Heartbleed Be?
| Published April 9, 2014 |

By Thursday Review staff

Tech experts and computer geeks are worried. Sure, they spend lots of time worrying, but these are the same folks who (at least according to the British TV sitcom The IT) answer their work phones with “have you tried turning it off and back on?”

Despite the big headlines in the mainstream press and media concerning Mini Y2K, that is, the end of Microsoft’s tech support for anyone using Windows XP (and that means 75% of the ATMs in North America, along with tens of thousands of computerized cash registers), the most ulcer-inducing problem this week may be found in an obscure gap which dates back two years.

A newly discovered vulnerability—a sort of crypto virus called Heartbleed—may give hackers an open door to download important data from servers linked to the internet. Heartbleed will affect nearly everyone and everything that uses OpenSSL, a highly popular data encryption tool, according to The vulnerability can grab data a few handfuls at a time (at a rate of about 64 kilobytes), slowly but surely stealing valuable data—including passwords and even encryption keys.

And unfortunately for many businesses and individuals, the problem has gone largely undetected for about two years. There are patches and solutions available to repair the problem—effectively closing that breach immediately—but some theorize that opportunistic hackers may have already exploited the vulnerability. That means if you fix the problem today there is no guarantee that someone did not steal important data last week.

Plenty of folks have said that the gap, which allows for parcels of data 64 k in size to be hauled out of servers, is too small to exploit in any grand way—as in the massive Target breach last fall which resulted in the theft of data for over 70 million credit card users. But ask any computer geek, and he or she will tell you just how easy it is to create a program, in minutes, which will repeatedly grab data, one mouthful at a time, until it has everything on your file server or storage machine.

Many companies are making adjustments and upgrades today, and thousands more plan to complete the process this week. But the problem is that the flaw has gone unnoticed. By the time you implement your own fix today, it could be too late.

Some analysts are suggesting there is no reason for panic (if we’re not panicking about Microsoft cutting loose Windows XP, why panic about this?), but those same experts quietly advise people to be cautious and careful with your online transactions for a few days. A few have even suggested limiting credit or debit card use until the dust settles. After all, the full impact of Heartbleed may not be felt in any serious way for months or years.

Conversely, a few tech gurus have quoted Sheriff Woody from Toy Story—this is the perfect time to panic. The vulnerability may affect the security of mountains of data collected by Yahoo, AOL, Amazon and other major internet players. More ominously for civil libertarians, the breach may give muscular agencies like the NSA an even bigger opportunity to harvest reams of encrypted data. Not that the NSA has the time to figure out what to do with all that personal information it has already collected.

A mutual friend of Thursday Review (one of our sources with a major internet firm) said that the real concern is not tech-savvy operations like Facebook, Pay Pal or Amazon, all of whom likely fixed the problem earlier this week or today. The problem is the non-tech savvy businesses, many of whom may be banks, credit unions, mortgage institutions, retailers and news services. For those, the vulnerability may have ripple effects for months, even years.

Related Thursday Review articles:

Will Your ATM Work After April 8?; Thursday Review; January 30, 2014.

Who Pays for the Target Breach?; R. Alan Clanton; Thursday Review; February 15, 2014.

Can You Protect Yourself From Credit Card Fraud?; R. Alan Clanton; Thursday Review; January 11, 2014.