Sunday, April 13, 2014
Cybercitizens, do you need to be concerned about Heartbleed?
17% of all Internet services and a larger percentage of networking products have had their security systems compromised by a bug in the implementation of encrypted channels; rendering it possible for attackers to unearth user passwords or read encrypted communications (both current and stored).
From the published list of affected websites on The Heartbleed Hit List, it appears apparent that the bug impacts a wide range of services used commonly by cybercitizens. Mail, social networks, home networks and financial sites were all exposed to potential malicious activity which ranged from spying to crime. As vulnerable software versions were in use for over two years, the exact impact of its malicious exploitation will never be known.
The obvious assessment is that it was found early by government agencies who kept its discovery a closely guarded secret, using it to decode encrypted channels set-up to ensure privacy and safety: - to read messages, find passwords and so on. Such flaws are typically detected using a type of test tool, commonly used by governments and specialized labs. It is therefore no surprise that the flaw was uncovered by Codenomicon, a security testing tool vendor. If this was true, then the most obvious targets would be political opponents, dissidents, journalists, and others in whom governments have vested interests in.
If cybercriminals were to discover the bug early they would have used it to steal the private keys of large internet service providers, effectively enabling them to fool cybercitizens into thinking that they were communicating with a legitimate service rather than a spoofed site. In such a scenario, cybercitizens may have willingly parted with their credentials and as a consequence incurred a monetary loss.
The bug also allowed attackers to randomly download a small portion of the computer memory, leaking user credentials. I personally think that such random attacks amounting to finding a needle in a haystack would not be profitable. Rather, it would have been very rewarding to sell such an exploit in the underground market to one or many governments.
The bug highlights the helplessness that cybercitizens face as they rely on firms to ensure the proper use of technology to keep the services they use secure. Cybercitizens are truly helpless victims.
Now, that the bug is known, cybercitizens should first check the services they use ensure that they are not currently vulnerable; following which it is important to change passwords.
Ideally, I would have liked to have seen service provider send emails to their users requesting them to reset their passwords.