17% of all
Internet services and a larger percentage of networking products have had their
security systems compromised by a bug in the implementation of encrypted
channels; rendering it possible for attackers to unearth user passwords or read
encrypted communications (both current and stored).
From the
published list of affected websites on The
Heartbleed Hit List, it appears apparent that the bug impacts a wide range
of services used commonly by cybercitizens. Mail, social networks, home networks and financial
sites were all exposed to potential malicious activity which ranged from spying
to crime. As vulnerable software versions were in use for over two years, the
exact impact of its malicious exploitation will never be known.
The obvious
assessment is that it was found early by government agencies who kept its discovery
a closely guarded secret, using it to decode encrypted channels set-up to
ensure privacy and safety: - to read messages, find passwords and so on. Such
flaws are typically detected using a type of test tool, commonly used by
governments and specialized labs. It is therefore no surprise that the flaw was
uncovered by Codenomicon, a security testing tool vendor. If this was true,
then the most obvious targets would be political opponents, dissidents, journalists,
and others in whom governments have vested interests in.
If cybercriminals
were to discover the bug early they would have used it to steal the private
keys of large internet service providers, effectively enabling them to fool
cybercitizens into thinking that they were communicating with a legitimate
service rather than a spoofed site. In such a scenario, cybercitizens may have
willingly parted with their credentials and as a consequence incurred a
monetary loss.
The bug also
allowed attackers to randomly download a small portion of the computer memory,
leaking user credentials. I personally think that such random attacks amounting
to finding a needle in a haystack would not be profitable. Rather, it would have
been very rewarding to sell such an exploit in the underground market to one or
many governments.
The bug
highlights the helplessness that cybercitizens face as they rely on firms to
ensure the proper use of technology to keep the services they use secure.
Cybercitizens are truly helpless victims.
Now, that the
bug is known, cybercitizens should first check the services they use ensure that they are not currently vulnerable; following which it is important to
change passwords.
Ideally, I would have liked to have seen service provider
send emails to their users requesting them to reset their passwords.