Heartbleed Bug - Is it Safe to Come Out Yet?
Submit your questions to: [email protected]
This week we have a very timely question from Ms. Ashleigh Vandelay, an architect in Flint, MI:
“Two weeks ago, after reading the scary warnings about the Heartbleed vulnerability, I grabbed all my back issues of The Daily Cryptogram puzzle and some food and water, and headed down into my survival bunker and sealed the door. I’m just about out of Kind bars – the only ones left are the gluten-free honey mustard plus fiber ones that I bought from Overstock.com a few years ago.
Is it safe to come out yet?”
First, Ms. Vandelay, the next time there is a major Internet vulnerability I recommend bringing some Road's End Organics Gluten Free Alfredo Chreese (sic) Mix down into your bunker. It tastes just as bad, if not worse, than those Kind bars – but you can use the Chreese Mix as a quick setting mortar to make a nice ottoman out of any remaining snack bars or Ramen noodle packages you might have.
As far as Heartbleed goes, I think the mainstream press had grown weary of trying to pronounce the names of cities in Crimea and the Ukraine and did really jump on the Heartbleed vulnerability as the next “Bird Flu of the Internet” kind of story. But, Heartbleed really is a serious flaw that posed a major risk to both consumers and enterprises.
In reality, the publicity around Heartbleed was actually much more appropriate than the periodic over-hyped tub-thumping about “Digital Pearl Harbor!” or “Cyber Terrorism!!” or even “PKI Without the Complexity!!!” The flaw was disclosed in a very responsible manner, the publicity made senior management supportive of patching and shielding rapidly and there was actually relatively little ambulance chasing by the cybersecurity industry.
The Heartbleed publicity even started some very useful dialog about replacing reusable passwords with two step/two factor authentication, the security of third party software components overall and the need for enterprises to consider supporting open source efforts they may be dependent on.
So, Ashleigh, it is a very good time to come out of your hidey hole. The Code Red/Nimda/Slammer/Blaster vulnerabilities of 2001 and 2003 led to major changes in how commercial software vendors handle patches and vulnerability information and drove enterprises to move to more frequent and more rapid patching of PCs and servers. Security people should be using the Heartbleed publicity to make similar gains in discovery, vulnerability assessment and application security – and maybe even some proof of concept trials of stronger authentication. One of the biggest ways to improve security would be to decrease the use of reusable passwords, and the cost of fixing the Heartbleed flaw would be cheap if it really did lead to some meaningful reduction there.
Now, Ms. Vandelay, by coming out of your shelter this week you will be just in time to celebrate the birthday of the inventor of the wireless telegraph, Guglielmo Marconi. In 1903, Guggi was doing a demonstration of his wireless system when a remote signal took advantage of the lack of authentication protocols on the system to override the legitimate signal and start sending “RATS RATS RATS” to the delight of the watching press and the dismay of Mr. Marconi.
So, it took us about 85 years to move from no authentication on communications to widespread use of reusable passwords in 1990 or so. The list of organizations supporting two factor authentication has grown nicely since the Heartbleed publicity blew up – maybe it will help put a few more cracks in the 25 year reign of the password.
Come On Out, Ms. Vandelay!