Sat April 12, 2014
Diagnosing And Treating The Internet's Heartbleed Bug
Originally published on Sat April 12, 2014 5:44 pm
TESS VIGELAND, HOST:
If you're just joining us, this is ALL THINGS CONSIDERED from NPR West. I'm Tess Vigeland. The Internet found itself in the emergency room with cardiac arrest this week. As you've likely heard by now, something called the heartbleed security flaw threatened to wield a scalpel against our most sensitive online information. Software that was supposed to protect our internet activity turned out to have a giant hole in it, potentially allowing attackers to access email, bank accounts, user names and passwords.
Google researchers and a security firm based in Finland reported the flaw earlier this week. Jordan Robertson, a reporter for Bloomberg Businessweek says, even though Heartbleed has been around for at least two years, a software patch to fix the problem was only released a few days ago.
JORDAN ROBERTSON: It's a very serious bug, a really big find. It's the kind of thing that we only see come along once every couple of years and it sends everybody scrambling to upgrade their Web servers, fix their email clients. Just all manner of technical upgrades needed to be done because of this.
VIGELAND: When you say it's a really serious bug that we only see every few years, what makes it serious?
ROBERTSON: Lots and lots of bugs come out every year, thousands and thousands of bugs. What makes this one particularly malicious is the fact that it deals with an encryption standard that's used by two-thirds of all Internet sites, active Internet sites. And what it does is it allows an attacker who knows about it to spy and eavesdrop on conversations that are going over this encryption protocol.
So anytime you see that padlock in the address bar of your Internet browser, that's basically what this communication protocol indicates. And so you can see a padlock. You can think your communications are secure but the problem is there's a flaw in that protocol. Fortunately, the flaw was announced at the same time as the patch was released so the researchers handled it responsibly, as they were supposed to.
VIGELAND: This encryption software that you're talking about is what's called open source. And that means that the source code is pretty much available for anyone to see. What, if anything, does that add to the picture here? Was it - did it make it more difficult or was it, I don't know, was it an advantage at all when dealing with this flaw?
ROBERTSON: It's an interesting question because you would assume that with open source software, because the code is available to the public that that would give hackers an advantage in finding vulnerabilities to exploit. You'd think it's a competitive advantage to keep that secret. But actually the reverse is true. It's actually an advantage for security researchers because you can have all kinds of researchers like the ones who found this bug tinkering away at research projects kind of in their spare time and finding holes in it. So it's actually a significant advantage to have open source software.
VIGELAND: Jordan, when these sorts of vulnerabilities are found, I kind of imagine this race between hackers and developers frantically trying to fix it. Is that an accurate vision?
ROBERTSON: There is this race between hackers who use that information to try to exploit the bug. They see this as, here's a patch that not everybody's going to put on immediately, and security professionals who are frantically scrambling to update their systems and their Web servers. And this process moved very quickly this week.
VIGELAND: All right. Well, when the story broke we all heard advice to change our passwords. And then we heard wait for your bank, your email provider, everybody else to apply the patch and then change your passwords. Should we all do that today, tomorrow? What's the public service announcement here?
ROBERTSON: You're pretty safe if you want to change your passwords at this point. There are some online tools that will allow you to check website to see if they're vulnerable. I should also mention as well, large banks in general were not affected by this. They use different technologies generally. But if you're using Google, if you're using Yahoo, if you're using eBay, it's fine to go in and change your username, your password and other personal details. At this point, if you're a large company and you haven't upgraded, I mean, those are going to be few and far between.
VIGELAND: OK. So then of course the challenge is making sure that you remember your new password.
ROBERTSON: That's right.
VIGELAND: That's a whole other thing altogether. Jordan Robertson writes for Bloomberg Businessweek. Thanks so much.
ROBERTSON: Sure. Thank you.
(SOUNDBITE OF MUSIC) Transcript provided by NPR, Copyright NPR.