The nasty bug highlights the vulnerability of personal information on the web, but UBC’s Hasan Cavusoglu says there’s no need to panic
Heartbleed is the internet security risk on everyone’s lips since striking some of the web’s biggest players, including the Canada Revenue Agency. But Hasan Cavusoglu, an expert of information security economics from Sauder’s Management Information Systems division, tells us we should not turn our backs on the open-source technology that played a big role in the Heartbleed saga.
Why did this happen?
Many websites have been using the Open SSL security software. It’s developed by a global network of volunteer coders, and one of them introduced – likely by mistake – a vulnerability in the code. The flaw could allow hackers to trick the security software to give up important information without leaving a trace. Computers and servers send small amounts of information –”heartbeats”– back and forth as a handshake to keep the connection open. The flaw is that a hacker could tell the server to send back much more information than necessary and that might include passwords and other data that should be secure.
Unfortunately, the problem wasn’t discovered until two years later, when a Google engineer and a Finnish security firm found the error. It’s not a virus, but a vulnerability, meaning private information has been open to attacks. We don’t yet know if there have been many insidious attacks. It’s a serious problem, but hopefully the flaw was caught before too much damage was done.
Is this a problem with open-source security systems?
No. In a sense it shows the strength of open-source. We learned about this problem from developers who were checking the software and discovered the flaw – instead of learning about the problem after a big attack. The idea of the open system is that anyone can check on the code to identify problems. Having more eyes on the code should improve its quality. The problem is that there aren’t enough people working on this security aspect. A lot of companies use this technology–perhaps more of them should be giving back as Google did. It’s their monitoring that caught the mistake.
What can we do about such security bugs?
When we hear about security flaws like this, it can be very discouraging, but we shouldn’t be scared. Most of the affected companies have been working very hard to get their customers’ data secured once more. In this case, you can look up which websites were affected, and if they’ve already fixed the problem you should change your password, just to be on the safe side. If the website has not been affected, you can rest easy.
That being said, yes, it will happen again. Human errors are inevitable and internet security is very complex, so nothing is completely immune to vulnerabilities. Remember to use discretion, and always be cautious online.