'Heartbleed' web bug IS as bad as the hype

Credit: KING

'Heartbleed' web bug IS as bad as the hype

Print
Email
|

by RENAY SAN MIGUEL / KING 5 News

kgw.com

Posted on April 9, 2014 at 1:37 PM

Updated Wednesday, Apr 9 at 1:40 PM

I've covered technology since the late 1990s, which means I've had a front row seat for the rise of the Internet and its impact on business and personal communications. Unfortunately, that's also meant I've been on a first name basis with the likes of Melissa, Nimda, Code Red, Slammer and Sasser -- security threats with cute names that could cause ugly damage to computers and networks.

That background means I know that some computer security companies will play up the potential damage from these threats to sell their products and services. I also know that the media can stoke similar fears for ratings and page views.

So all that experience tells me that the latest threat, the Heartbleed bug, is indeed worthy of the hype.

Heartbleed is a flaw in the open source encryption software called Open SSL, which sits on servers -- computers that power websites -- and protects data like usernames, passwords and credit card numbers sent from users. If you didn't have an Open SSL encryption key, all you would see of that data is digital gibberish. But the Heartbleed bug in Open SSL could have allowed hackers to steal that information and you wouldn't have known they were there.

How? Sometimes computers will ping servers to make sure they are still connected via secure link. That ping is called a "heartbeat." But the Heartbleed flaw meant hackers could have sent sent a Trojan horse-style "heartbeat" that was really designed to steal data.

And this could have been going on for two years. The flaw has sat undiscovered for that long.

After interviewing a variety of computer security experts during my tech reporting career, and reading the work of others via books and blogs, there are two respected names that stand out for me. Brian Krebs, a former Wired reporter who now writes the Krebs on Security blog, broke the Target hack story late last year. Bruce Schneier is considered the godfather of encryption software and is someone I've turned to for interviews several times over the last 14 years.

Krebs calls Heartbleed "an extremely critical vulnerability." Schneier, no fan of media hype about computer threats, says on a scale of 1 to 10, "this is an 11." 

Heartbleed is bad because Open SSL is free and used by about two-thirds of active websites. It's bad because the Dept. of Homeland Security alerted businesses Tuesday to the problem and asked them to check their use of Open SSL. It's bad because Yahoo! mail -- one of the most popular email services -- used Open SSL.

It's bad because once again, we have to tell people that they should reset their passwords, take the time to come up with more complicated passwords, not use the same password twice, consider a password manager like Last Pass, and favor sites that use two-step authentication (a password and a one-time random code sent via email or text).

It's also bad because even though Heartbleed is a legitimate threat, many people will still think we're crying wolf over it, thanks to previous media coverage.

Here's hoping those users will take this advice to heart.

Print
Email
|