In 2006, Apple began running its “Get a Mac” ad campaign, featuring a casually dressed “Mac” representative contrasted with the nerdy and business-professional “PC.” At the time, Mac’s relatively low market share made it less of a target for hackers and virus-makers, and so the campaign poked fun at the more virus-prone Windows operating system. The perceived vulnerabilities in the PC software made Macs a more attractive prospect for many consumers.
But a recently unveiled security threat dubbed Heartbleed isn’t a virus. And it doesn’t affect just one operating system. This dormant software bug has endangered the security of the traffic on the Internet itself.
The bug has to do with the way secure connections are kept open in the OpenSSL protocol, which is used by websites and software applications around the world. Publicly disclosed on April 7, Heartbleed is said to have affected around 17 percent of the Internet’s “secure” web servers, allowing data protected by OpenSSL to be stolen and leading journalists and industry experts to characterize it as a catastrophic threat to the security of consumer sites.
Heartbleed is unlike most other security threats in that it has had an ad campaign of sorts to raise awareness. Finnish security testing company Codenomicon gave Heartbleed its name (taken from the vulnerable OpenSSL extension Heartbeat) as well as a distinctive, blood-dripping heart logo to go along with it, and affected sites have been sending emails to users in the past week notifying them of the vulnerability and encouraging them to change their passwords.
The most frustrating aspect of the ongoing Heartbleed debacle is twofold: First, that this disclosure comes too late to retroactively fix any damage done, and second, that there really is no way to determine the extent of that damage. Like a mudslide or a hurricane, we won’t know the magnitude of the devastation until the debris has cleared. Hackers could have already taken passwords or other secure data without our knowledge. In testing the vulnerability, heartbleed.com states, “We attacked ourselves from outside, without leaving a trace.”
A fixed version of the encryption protocol has since been released, but the impetus is on service providers to update their infrastructure, and this loophole has been left open since 2012.
How could such a massive oversight have stood for so long? It’s the same reason most security threats develop in open-source code, a community driven process that allows the guts of software to be examined and improved upon by anyone. It’s not that no one has thought to check for vulnerabilities like Heartbleed. It’s that everyone assumes someone else has.
Yet not everyone was left in the dark on Heartbleed. Bloomberg reported that the NSA not only knew about the bug but exploited it for years to its own ends, a charge vehemently denied by the agency. If true, it would mean the National Security Agency, oxymoronically, chose not to disclose a security vulnerability affecting the entire nation.
In the modern digital landscape, it’s still the Wild West. Systematic regulation of the Internet is implausible and could cause more problems than it solves. The NSA is purportedly more interested in exploiting loopholes for its own purposes rather than alerting the public to their presence, and those working on open-source code such as OpenSSL can often be blinded by the notion that “someone” has checked for vulnerabilities. As it stands, no one is held accountable for the Internet. Until that changes, consumers need to watch out for themselves.