2.5 Tracking a moving target
Security is an ever-changing topic. New technologies are always being introduced and they bring new risks, or allow old threats to resurface in a new form.
Old technologies are retired by manufacturers, potentially leaving their users exposed to danger as bugs and security weaknesses remain unaddressed. And there are new threats being discovered every day, as the Heartbleed bug shows only too well.
In April 2014, news broke about a serious bug that affected at least half a million websites. Called ‘Heartbleed’, the bug affects a program used by web servers to establish secure connections for web browsers so that financial or personal information can be safely exchanged over the internet. Heartbleed is a fault in OpenSSL’s heartbeat function which is usually used by the computer on one end of an SSL connection to check that the remote computer is still connected. However, the bug allows a fake heartbeat message to return a copy of the contents of a chunk of the server’s memory which could include the site’s certificates (used to prove the site is genuine), unencrypted user passwords, credit card numbers or other personal information.
The Heartbleed bug was introduced into a version of OpenSSL released in early 2012 and was present in all versions of the software until April 2014. For more than two years Heartbleed was present on a huge number of websites, including those of very large organisations such as Yahoo!, the photo sharing site Flickr (owned by Yahoo!) and the slate.com news site, during which it created a security risk for all users.
To the best of our knowledge, Heartbleed was discovered by two groups of researchers, including people at Google, who, as is typical for computer security, worked with the designers of OpenSSL to fix the problem before a public announcement of the bug. However, it is entirely possible these weren’t the first people to find Heartbleed and it might have been known to criminals for some time.
At the time of writing, the effects of Heartbleed are still not known. So far, thousands of developers all around the world have been checking and updating web servers, creating new security certificates and in some cases asking all users to change their passwords. Even if no crime is ever committed as a result of Heartbleed it will have cost a huge amount of money to fix.