Heartbleed Prompts Rash Responses
While it's important to respond quickly and effectively in light of a cybersecurity hole such as Heartbleed, new data shows that some websites actually added the vulnerability in the rush to patch systems.
According to security analyst Yngve Nysaeter Pettersen around 2,500 servers that weren't previously affected by the Heartbleed vulnerability introduced Heartbleed into their systems in the process of patching. What's more? A new report by security firm Netcraft reveals that 30,000 websites are currently using a fix that still contains a loophole.
"It is difficult to definitely say why this problem developed, but one possibility is that all the media attention led concerned system administrators into believing their system was unsecure," Petterson wrote.
"This, perhaps combined with administrative pressure and a need to 'do something', led them to upgrade an unaffected server to a newer, but still buggy version of the system, perhaps because the system variant had not yet been officially patched."
Heartbleed is a vulnerability affecting a widely used encryption service known as OpenSSL. The chink in the armor went undetected for around two years, and at the time of its discovery, Heartbleed was thought to affect two-thirds of the world's websites, including Google, Yahoo, and Facebook services. The only solution was to change passwords - a simple task that the public largely ignored despite the implications.
"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)," Codenomicon, the Finnish-based security firm that discovered Heartbleed, wrote on Heartbleed.com.
"We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication," the firm revealed.
Heartbleed caused enough of a scare to even get the White House involved. Soon after Heartbleed was unearthed, accusations that the NSA had been aware of it (and exploited it) began making rounds, prompting Special Assistant to the President and Cybersecurity Officer Michael Daniel to step in and explain how the government handles cyber vulnerabilities.
"But there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences," Daniel said in a blog post.
"Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks."