TMCnet News

Tech Talk: Heartbleed leaves us vulnerable [St. Cloud Times, Minn. :: ]
[April 20, 2014]

Tech Talk: Heartbleed leaves us vulnerable [St. Cloud Times, Minn. :: ]


(St. Cloud Times (MN) Via Acquire Media NewsEdge) April 20--Computer users generally try to, or at least know they should, do as much as is reasonably possible to protect their digital information and accounts.

Good password practices and browsing habits have been drilled into our heads and are reiterated whenever a major shift in social engineering or account security occurs. We may have points of weakness, but on the whole I think people know the basics.



We also have an unspoken trust in the websites and software we use. We want to believe that if we handle business on our end, Web services and vendors will do their part to keep our account information secure.

Recently, major security breaches have upset this trust and called into question our reliance on the software and technology that we trust.


Target's highly publicized data breach during last year's holiday season saw customer financial information exposed due to malware installed on point-of-sale credit and debit card scanners. Consumers did everything they were supposed to during the process, but they ended up losing control of their data due to contaminated technology they trusted would work.

The latest security issue, Heartbleed, is even worse, as it affects websites used by millions of Internet users across the world.

Heartbleed Heartbleed is a security bug that affects websites using certain versions of OpenSSL for SSL/TLS encryption. Such encryption allows for computers and servers to securely transmit information such as user names, passwords, personal records and financial data.

The vulnerability allows those with nefarious intent to untraceably access data that was supposed to be encrypted. This can include private encryption keys and sensitive user data.

OpenSSL is a popular solution for both large and small websites employing encryption, so Web users could run into a Heartbleed-affected website several times a day. Netcraft's April 2014 Web Server Survey (http://bit.ly/1hm0MSI) estimates that up to 66 percent of websites could be running a server environment capable of being affected by Heartbleed.

Heartbleed affects versions of OpenSSL that have been in play for two years, making the breach potentially disastrous considering how little knowledge we have of how much information could have been taken in that time.

Heartbleed will be tough to get rid of; affected servers and devices need to manually upgrade to a patched version of OpenSSL. Major services have either already done so or have announced plans for security updates, but smaller websites or those without a strong Web team could take much longer to make the fix, leaving users of those sites vulnerable.

What can users do on our end? Mashable has compiled a list of popular Web services and their possible Heartbleed exposure, which can be viewed here: http://on.mash.to/PTgjhh. Facebook, Google and Yahoo have all issued statements recommending users update their passwords.

If you're using an affected site, check to see if they've issued a security update addressing the issue. If they have, update your password. If you want to see if a service you're using has updated, run the site's URL against LastPass's Heartbleed checker (https://lastpass.com/heartbleed) to see the server's SSL certificate status.

Codenomicon, one of the companies involved with discovering Heartbleed, has set up a website with more information about the bug. View it at http://heartbleed.com.

Out of our hands Security issues such as Heartbleed and the Target breach are frustrating because there was absolutely nothing users could do to prevent the potential loss of their personal information.

With password hacks or social engineering, there is almost always a personal element that could have been handled better to prevent the problem.

Proper server maintenance, point-of-sale malware and correctly updated code are not aspects of technology we can control. We hope that businesses have the proper pieces and protocols in place to correctly handle our information, but we can't know for sure. These data breaches reveal just how much trust we place in the online services we use each day.

As more devices, services and elements of computing become personal, the importance of a company's data security reputation will grow. We will want to do business and interface with entities proven to be secure and able to react to the changing security landscape.

This is the opinion of Times Digital Products Specialist Andrew Fraser. Follow him on Twitter @AndrewFraser.

___ (c)2014 the St. Cloud Times (St. Cloud, Minn.) Visit the St. Cloud Times (St. Cloud, Minn.) at www.sctimes.com Distributed by MCT Information Services

[ Back To TMCnet.com's Homepage ]