CREDIT: Codenomicon – Heartbleed.com
Security researchers found the Internet’s Achilles’ heel Monday — a devastating security hole in the fabric of encryption coding that went undiscovered for two years. The so-called Heartbleed bug is a vulnerability in the OpenSSL software, which nearly two-thirds of the world’s websites and mobile devices use to shield online traffic from hackers.
Millions of passwords, credit card numbers, Social Security Numbers and other personal data are at risk for being poached by hackers. Security experts are advising people to literally stay off the Internet — not logging into bank sites to check a balance, finishing your taxes or shopping online — until there’s a fix.
“This is not a problem that can be fixed in a couple of hours. It will take days before all the sites that are vulnerable have fixed the problem, if they even get to that point,” Runa Sandvik, a privacy and security researcher, and staff technologist for Center for Democracy and Technology in Washington, D.C., told ThinkProgress. “There’s a possibility that in some instances, it won’t get fixed.”
Think of it as the BP Oil Spill on the Web: Experts won’t know how widespread the damage is or what future problems Heartbleed may create until long after companies secure the thousands of websites, mobile apps and hardware — anything that connects to the Internet — that have been affected. “It’s going to be a slow trickle. It’s not a fix that everyone can roll out today necessarily. And it affects so many people that it’s not just one company that has to do something, it’s every single company that was affected by this issue has to do something,” Sandvik said.
With hundreds of thousands of sites that have already been affected, from Yahoo and Google to Tumblr, Netflix and OKCupid, there’s no part of everyday life that’s left unaffected. Studies show that the average person has 25 online accounts and only uses six different passwords, exacerbating the potential havoc security lapses like Heartbleed wreak. “For all of these people who are using the same passwords on multiple sites, if someone gets a hold of their password, they can just log in all over the place,” Sandvik said.
“With Heartbleed, it brought it closer to home. It was no longer a conversation about critical infrastructure, or the specs of a nuclear system in Iran. And it was not about the theft of data from a specific company where you had a data breach that affected millions of customers but was limited to a specific company,” Tim Maurer, a global cybersecurity researcher with the New America Foundation in Washington, D.C., told ThinkProgress. “[Heartbleed] affects just the ordinary citizen.”
More than that, it’s shown that to make the world more connected, society has also given up control of personal information to all of the companies and apps that make life a little easier and more enjoyable.
The Internet has had an enchanting effect on our daily lives. It has strengthened our personal relationships, according to Pew, and the vast majority of people believe it’s good for them personally and society as a whole. Almost 90 percent of Americans say the Internet is a part of their daily routines, with another 68 percent who access it from their phones, according to a recent Pew Research study. Moreover, one in two adults believe giving up the Internet completely would be at least very difficult, compared to 38 percent in 2006, Pew found.
Because the Internet is so ingrained in our daily lives, catastrophes like Heartbleed were bound to happen. “This is part of our lives and a part of the Internet,” Maurer said.
And “you need to be aware of [online security] every day.”
Privacy online is a growing concern for most users, many of whom fear identity theft. But the convenience the Internet provides and the desire to connect with others tends to outweigh that. Eighty-six percent of online users take some steps to minimize their digital footprints by clearing their browser’s cookies or deleting past posts. Despite wanting more anonymity online, users continue to share intimate details of their lives: Nearly 70 percent of adult users have a photo of them posted online with another 50 percent displaying their birth date, according to a recent Pew study. More than that, over 40 percent of Web users have their email address and employer posted online.
But only now are people becoming more aware that all the information they put online are at risk as breaches with companies like Target and Neiman Marcus become more common. Target’s breach exposed over 100 million bits of customer data including credit and debit card numbers, addresses and phone numbers.
Beyond that, no one reads websites’ privacy policies simply because they’re long — it would take about 30 full work days to read all the policies users agree to each year, according to researchers. About 75 percent of people believe consenting to one means they’re information is protected, according to a 2005 report from the University of Pennsylvania’s Annenberg Public Policy Center. That means users don’t know exactly how much of their information is up for grabs by companies or other people to share. Microsoft, Apple and Google were all criticized recently for a loophole in their privacy policies that allow them to read and share email contents without any legal ramifications.
Right now, it’s all up to the companies to fix the flaw but there’s little communication from them about what’s going on, Sandvik said. Researchers agree that Heartbleed couldn’t really have been prevented but companies’ responses to it have lagged. Usually the companies fix the issue but don’t tell anyone, some will fix it and tell their customers, and even fewer will fix it, alert customers and tell them what they need to do, Sandvik said. “It needs to be the latter — all three,” she said. Most of the information customers are getting now are from security researchers and the media, not the companies, and there’s very little the consumer can do.
U.S. National Security Agency whistleblower Edward Snowden recently said widespread encryption on all websites was the only way to be safe from breaches or government surveillance. As breaches become more commonplace, companies are under increased pressure from the government and customers to use encryption more. However, flaws like Heartbleed, which is a hole in the encryption itself, leaves customers in a lurch and completely at the mercy of the companies that know their birth dates and email addresses.
Hopefully, Heartbleed will embolden customers to push for more protective policies instead of trusting that the companies will take care of them. Similar to how consumer outrage after the Target breach led to a push in better credit card technology and reconsideration of a federal breach notification law that would mandate companies to notify customers when their data is leaked, Heartbleed will lead to more policies that bolster privacy guidelines for mobile apps and affect online security overall.
“What Heartbleed shows is that the Internet is in many ways very similar to how we think about health: You can get vaccinated but at the same time you need to still wash your hands and use sanitizer,” Maurer said. The major companies have a responsibility to fix the problem once it’s been detected, but everyone has to make an effort to protect themselves.