Heartbleed causing significant heartburn for internet security

April 9, 2014 |

There has been a major alert and scare about a discovered flaw in OpenSSL cryptographic software library which is used by a large number of websites.  It is reported in Web security in doubt after discovery of ‘Heartbleed’ flaw and Newly discovered encryption flaw a ‘big deal’, say security experts.  It has also been reported in the Drum in somewhat apocalyptic terms in A civilisation built upon software isn’t safe, which provides:

Go onto the web to check your bank balance, order some cheap shoes from overseas, or pay some bills. It’s something we do almost every day, without a second thought, because we’re reassured by the cute lock icon in the location bar of our browser. It’s the sign that this connection has been encrypted, hidden from anyone’s prying eyes.

That’s what the banks have told us. That’s what the online retailers have told us. That’s what all of the people who make billions from connected commerce have taught us to believe. A secure connection is invulnerable.

Or not.

On Tuesday morning, Australia time, internet security researchers announced the existence of the ‘heartbleed’ bug. Heartbleed exploits a bug in the encryption software running on computers used by banks and retailers, exposing to hackers all sorts of information that’s meant to be completely secure – credit card numbers, passwords, even the keys used to encrypt the connection. With one of those keys, a hacker could create a fake e-commerce website that acts just like the real thing – down to the lock icon in the browser – using it to scoop up even more personal data.

We know this vulnerability has existed for at least two years, and that the heartbleed code is on millions of computers. Worse yet, heartbleed leaves no trace. There’s no way to tell if a computer susceptible to heartbleed has been hacked into.

Computer boffins around the world are busily patching the affected computers. But the damage has been done. A huge cache of confidential information has been exposed. We have no idea of the extent of the intrusion, making it next to impossible to assess, let alone repair.

This is the most serious security threat the web has yet faced.

Computer software is rarely perfect. Bugs are common, most found and fixed before release. But a few always slip through, perhaps because they aren’t immediately visible, or require such an unusual set of circumstances to reproduce that no one thinks to check.

In a word processing program, bugs are merely annoying. In software that provides security, bugs can be very dangerous. For this reason, security code is meant to be audited – inspected, line by line – by other experts. That auditing provides its own tick of approval and trustworthiness because the safety of security code grows as security specialists audit it for bugs. When they come up empty-handed, it’s reasonable to presume the software is secure.

It’s not clear that the software containing the heartbleed bug was subjected to much auditing before release. Someone wrote the software, tested it a bit, and ‘threw it over the wall’, into widespread release. At that point it was installed on millions of computers around the world.

It’s as if someone redesigned the automobile brake, ran only a handful of safety trials, then started manufacturing cars using the new design. Most of the time those brakes work as expected, but – in certain rare cases – they can fail completely. Would any of us feel safe behind the wheel of those cars?

The folks who wrote this security software believed it was secure and bug free. The folks who installed that security software on their computers assumed that the folks who had written the security software had done their homework, diligently testing it for any weaknesses. And all of us assumed that a secure connection was inviolate.

We have to clean this mess up – but we also need to learn from our mistakes. We need to be diligent with security software, both in its design and in its deployment. We need to be a bit more paranoid, and a little less reliant on the assurances of others when they promise safety and security.

More and more, our civilisation is built upon software. A bug now can do more than crash a computer. The worst bugs can bring down banks, stock exchanges, possibly even entire financial systems.

Software will never be perfect. Our world will always be a little bit rickety, held together with ‘patches’ – the software equivalents of baling wire and chewing gum. After this week, we’ve realised that software, while amazing, comes with a cost. Software makes us vulnerable to the weaknesses of its creators. When we use software, we must acknowledge those weaknesses – and take steps to shore up the weak spots.

All of this means that our seamless, frictionless world of software and connectivity must now change. We have designed a world where all security happens behind the scenes, nearly invisibly. That was a mistake. We need to give these processes some thought. We can not accept the promises of others about safety or security online.

We don’t need to become security boffins (though the world can surely use more of those). But we do need to pause, and reflect, every time we see that lock icon in the browser. It’s supposed to provide a sense of trust. Instead, it reminds us that trust is a poor foundation for security.

For Australian organisations and agencies data breaches caused by flaws in fundamental and ubiquitous software is probably not, in the normal course and of itself, going to constitute a breach of the Australian Privacy Principles. A failure to properly patch the flaws once those vulnerabilities are made known and a fix is made available is another story. Ignoring that which is apparent because of miscommunication or poor protocols is a matter which may very well constitute an interference with privacy if there is a subsequent hacking attack.

Leave a Reply