Next Heartbleed could drain us

By -


EDMONTON - Early in the afternoon of April 7, a website called Heartbleed.com went live, warning the public of a devastating new security bug that affected two-thirds of the Internet’s servers. Most of the world’s tech companies found out about it that day, along with everyone else, and raced to check their systems and fix the problem.

In Ottawa, the e-commerce company Shopify scrambled its network security team and had a patch ready for its core servers by 7 p.m., and one for the secondary servers by midnight. The team worked all night, and by the next day it had reissued all keys and certificates, which are the tools used to make sure data are encrypted.

A few days later, the company posted on its blog that it had patched the problem before companies such as Yahoo and Google had, and that as far as it knew, no sensitive data had been compromised.

The general public seemed to have shrugged off the matter, too.

“Despite public awareness of Heartbleed, we did not notice an overall reduction in e-commerce sales and activity in the more than 95,000 sites that use Shopify. Our data indicates that while consumers are aware of Heartbleed, they are happy and willing to continue to shop online,” said Craig Miller, vice-president of growth at Shopify.

A breach at the Canadian Revenue Agency saw 900 social insurance numbers go missing, but on April 15, Royal Canadian Mounted Police officers arrested a 19-year-old computer science student at Western University in London, Ont., and charged him with one count of unauthorized use of a computer and one count of mischief in relation to data. While most of the Internet was compromised by Heartbleed, it seems like the damage has been minimal.

Internet users are constantly told to change their passwords, to think up better passwords, to not use the same password twice and, above all, to not give their passwords to anyone. But in those few hours after the bug became public and before those patches had rolled out, we were all sitting ducks. There was absolutely nothing a person could do to keep their data safe, besides removing themselves from the grid and shacking up in the woods somewhere.

The Heartbleed security bug was almost laughably simple. When two computers connect for a secure connection they exchange a code word during idle moments to keep the connection open. The computer tells the server the code word and how many characters it is, and the server responds by repeating the code word.

This became a bug when programmers realized they could lie about how long the code word is. If they said it was 100 characters and it was actually only five, the server would respond with the code word and then 95 more characters of information stored in its memory. Whatever the computer was thinking about at that moment, it would just blurt it out.

It’s like plying a chatty friend with peach schnapps and then asking him for whatever secret is on his mind at the time. It might be nothing, but it also might be the juiciest piece of gossip you’ve ever heard.

Programmers also realized that someone could make the same request over and over again and then sort through the information, looking for patterns. Those patterns could be credit card numbers or social insurance numbers. Scariest of all, they could be the server’s encryption key, which could be used to access just about anything the server contains.

On March 21, a programmer at Google discovered the breach and worked quietly with the OpenSSL team, the people who wrote the encryption software, to fix it. Before it had completely patched everything, Google sounded the alarm on April 7, encouraging companies like Shopify to patch their own software before the thieves got there first.

The bug had been in the code for two years and nobody can know for sure if it had been exploited in that time.

OpenSSL is open-source software — meaning it’s free for everyone to view and use — and it’s used in about two-thirds of the servers currently propping up the Internet. The team subsists on donations.

So that’s how it is: in the accelerating world of technology, where billions of dollars roll in every year, the main security software has one guy on the payroll, supported by a bunch of volunteers. Developers say open source software is subject to far more code reviews and can be patched a lot quicker than proprietary software, but they also bemoan the lack of resources at projects like OpenSSL.

The smartphone was created in 2002 when BlackBerry added phone capabilities to a personal digital assistant and shipped it out to stores with the name BlackBerry stamped on the box. It was a landmark moment for technology, although we didn’t know it at the time.

A study published in the MIT Technology Review in 2012 showed how different technologies have gone from traction to maturation to saturation. To gain traction, a technology needs 10 per cent market share. Maturation is 40 per cent and saturation is 75 per cent.

According to the study, the march of technology has turned into a full-fledged sprint.

It took 25 years — from the day in 1876 when Alexander Graham Bell phoned his assistant to say, “Mr. Watson, come here, I want to see you” — for the telephone to gain traction. Maturation took 40 more years and saturation took a further 17.

Smartphones only took seven years to gain traction and a few more years to pass 40-per-cent market share. One study predicts that saturation will happen next year.

With the rate of new technology accelerating, we’ve hardly had a moment to think about all this. There is no off button and it’s nearly impossible to opt out.

The Canadian Revenue Agency has your social insurance number, Amazon has your credit card and dozens of other sites have your passwords. If you use one password for several sites, and it gets breached, incredible damage could be done in a matter of hours.

These days, an identity is an easy thing to lose.

In the wake of the Heartbleed bug, there was a similar scramble at a company called LastPass, the maker of password manager software by the same name. Developers rushed to check the company’s infrastructure and make sure it was safe. As with Shopify, the bug had no direct impact but they went to work reissuing keys and certificates, and verifying that their data was safe.

“Once we shut down any kind of (potential) vulnerability around the Heartbleed bug on our end we immediately went to work, and if you saw us it doesn’t look like anyone slept in a week,” said Erin Styles, vice-president of marketing for LastPass.

They built a web page that checks other sites for vulnerabilities and added a service to LastPass that scans all stored websites to see if they are affected.

Since then, the company has seen a tenfold increase in new registrations. The software allows a user to store passwords safely in a “vault” and change them by clicking a button. Passwords can be automatically generated, so the user may not even know the password. Most importantly, it allows a person to have a unique password for each site, meaning one breach doesn’t automatically lead to several more.

This may be the world we live in now. Companies like Shopify and LastPass can’t afford to be lax about security because they would lose all their business if they did.

The situation isn’t so different for the average Internet user.

Checking credit card statements, staying abreast of the various threats and changing passwords every few months may just be a part of our lives now.

The Internet has brought about remarkable convenience: we can pay bills with the click of a button, order products delivered straight to our door, and file taxes without picking up a pencil and a calculator.

All these things don’t come for free, though. The price of convenience might just be eternal vigilance.

It’s natural to see the progress of technology as a steady climb toward newer and better things, but each summit brings new risks, and technology has a way of getting away from us. One year after he successfully detonated the first atomic test bomb, Robert Oppenheimer delivered a letter to the U.S. Secretary of War demanding they be banned. The letter, not surprisingly, didn’t have much of an effect.

The stakes might not be so high for us right now, but in return for technology’s incredible convenience and the near eradication of boredom, we might be giving up a bit of ourselves in return.

There are many different ways to lose our identity.

sxthomson@edmontonjournal.com

Source http://www.edmontonjournal.com/touch/story.html?id=9753075

Comments

Post a Comment

Popular posts from this blog

How a cyber attack hampered Hong Kong protesters

By Explorer -
Image
Massive public protests taking place in Hong Kong over the past week are aimed at a new extradition law, known as the Fugitive Offenders Ordinance , that would see accused criminals extradited to mainland China to face prosecution. Hongkongers feel the law could be used to legalise the kidnapping of people who express views, and act in ways, that are not popular with the Chinese government . The same law could also be used to extradite tourists and visitors to China who are arrested on suspicion of having committed these crimes. Protesters want the bill scrapped. For now, debate of the legislation has been postponed . Organisers say one million people turned out for the protests, while police estimate the number was around 240,000. Either way, it was a significant number of Hong Kong’s 7.5 million population. Commentators on Twitter remarked on how well organised the protesters were. So, how did they do it? Protesters across the world are using n
Read more

‘Not Hospital, Al-Shifa is Hamas Hideout & HQ in Gaza’: Israel Releases ‘Terrorists’ Confessions’ | Exclusive

By Explorer -
 According to a video of interrogation of "Hamas terrorists" released by Israel Security Agency Shin Bet, accessed exclusively by News18, "The Shifa hospital has been made with many considerations as Hamas knew that medical places won’t be attacked by the enemy. Equipment, explosives and other material has been kept there." Hamas is using hospitals in Gaza as covers and have turned them into ammunition depots, according to a video of interrogation of “Hamas terrorists" released by  Israel Security Agency  Shin Bet, accessed exclusively by News18. ALSO READ | Israel-Hamas War LIVE Updates  HERE The Israeli military has claimed that those featuring in the video released on Saturday are Hamas terrorists, who participated in the  October 7 attack  on Israel. “Most of the tunnels are hidden in hospitals. There are multiple underground levels. Al-Shifa Hospital is not small, it is a big place that can be used to hide things," a man is seen saying. “The Al-Shifa
Read more

Islam Has Massacred Over 669+ Million Non-Muslims Since 622AD

By Explorer -
Image
In fact, no ideology has been as genocidal as Islam… Islam has killed more than 5 times the number of people killed by communism. In the total numbers we have updated over 80 million Christians killed by Muslims in 500 years in the Balkan states, Hungary, Ukraine, Russia. Then we have India. The official estimate number of Muslim slaughters of Hindus is 80 million. However, Muslim historian Firistha (b. 1570) wrote (in either Tarikh-i Firishta or  the Gulshan-i Ibrahim) that Muslims slaughtered over 400 million Hindus up to the peak of Islamic rule of India, bringing the Hindu population down from 600 mil to 200 million at the time. With these new additions the Muslim genocide of non-Muslims since the birth of Mohammed would be  over 669 million murders. Islam: The Religion of Genocide Perspective:   Think the Spanish inquisition was bad? More people are killed by Islamists each year than in all 350 years of the Spanish Inquisition* combined. The Spanish inquisition ( Tribunal del Sant
Read more