By Naomi Dolin-Aubertin
I come to you today with updates on the Heartbleed bug because, as a company, we believe that this information is important. So feel free to skip to the more interesting bits if you've been reading about this all week.
By now (hopefully) you all know that you need to change your passwords to a slew of websites. What you may not have heard is the depth and breadth of what Heartbleed exposed to hacking. It is not only passwords that could be gathered by Heartbleed, but also the encryption keys. If a hacker gained one of these keys, it unlocks all the data on those servers until the encryption keys are changed (and leaves them with the ability to "translate" any old encrypted data they might have gotten their hands on before).
Another thing you should be aware of is that any smartphones or tablets running the Android version, 4.1.1 Jelly Bean was affected by the bug. About 34% of Android devices run this software. You can check your phone by going to the Setting menu and choosing the About Phone section. There you can see which software version you are running and available updates.
Whether or not the NSA knew about the Heartbleed bug in advance of the rest of us remains up in the air. It's a distinct possibility since "the NSA could have collected information like passwords and private communications from hundreds of thousands of websites, since Heartbleed is a bug in the popular open-source encryption software OpenSSL, used to secure data flowing from users' computers to hundreds of thousands of websites, including Gmail and Facebook. Almost two-thirds of all sites on the Internet use OpenSSL, according to estimates, making this bug possibly one of the most dangerous the Internet has ever seen and potentially allowing the NSA to access information on millions of users." [1]
However, "the NSA could have left the door open for other intelligence agencies across the world to exploit Heartbleed, provided they found the bug. This revelation also seems to contradict one of the NSA's core missions, which is protecting and defending American cybersecurity." [2] I highly doubt we'll ever get a straight answer.
The reason this is so important is due the the rise in cybercrime. "Unique phishing attacks numbered 115,565 in the second half of 2013, down 6 percent from the second half of 2012, when 123,486 attacks were reported, according to figures the Anti-Phishing Work Group released last week." [3] When news of the bug was first released, cybercriminals raced affected and potentially affect websites against the clock, the latter trying to close the gap before the other could exploit it. Here you can find a beautifully rendered real-time Cyberthreat Map, which makes cybercrime look way more pretty and enticing than it really should: http://cybermap.kaspersky.com/#.
Leave a comment!