Heartbleed: There’s Always a Fee Behind Free
We all enjoy the luxury of checking off our to-do lists from the comforts of home. Why make a stop by the bank when you can just log in and make that transfer from your laptop? Who wants to go by the mall when you can find the exact size and color of that new jacket you want with just a little browsing on your iPad? One click and it’s on its way to your doorstep. All you have to do is make sure that little padlock is showing and you know you can securely share your personal information, right?
Until recently, I felt that sense of security, too. I’ve taken (more than) reasonable steps to secure my information, so I pretty much order online whenever I want without giving it a second thought.
Until recently… and then came “Heartbleed”.
Here’s what bothers me: Essentially, ONE PERSON (one volunteer!) is in charge of maintaining the software that guarantees that https: (secure, encrypted SSL) messages sent between users and servers are free from prying eyes. (In case you missed my original blog post when the Heartbleed Bug story broke, check it out for some important ways you should protect yourself.)
Here’s the background information in a nutshell. That little lock symbol indicates that SSL (Secure Sockets Layer) is in place. SSL is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook). SSL allows sensitive information such as credit card numbers, Social Security numbers, and login credentials to be transmitted securely. It is implemented by something called the OpenSSL Project, which is a collaborative effort to develop commercial-grade open source (free) software.
Sounds good, right? Free software (used by approximately 2/3 of commercialwebsites!), managed by volunteers who just want to make our world a safer place. What’s not to like? Except, as often proves to be the case, you get what you pay for. Which for most users, is nothing. The group’s founder, Steve Marquess says they do get just under $1 million from corporate contracts, but that is earmarked for company-specific work and in 2013, the group got just $2,000 for upkeep. So the volunteer team at the OpenSSL Foundation didn’t catch the Heartbleed Bug because there aren’t enough of them to monitor it. Marquess says only one person works solely on the software. “Everyone else has outside obligations,” he says.
In a related story, there is also speculation that the National Security Agency (NSA-yes, them again!) has actually known about and exploited this flaw for at least two years. The NSA was able to obtain passwords and other basic data, and by not revealing this flaw, millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers. It is unclear whether anyone other than the U.S. government might have exploited the flaw before it was made public.
Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. But, experts say the NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers while Open Source projects depend on the integrity of underfunded researchers to protect us from them.
The bright side of this for OpenSSL (and ultimately for us as consumers) is that they have received about $10,000 in donations since this story broke. In the meantime, OpenSSL’s weakness and the Heartbleed Bug could be leading to years worth of data breaches. Make sure you contact your security team to patch all related software inside of your organization.
John Sileo is an author and keynote speaker on cyber security and identity theft. His clients include the Pentagon, Visa and organizations of all sizes. 800.258.8076.