There was a vulnerability recently discovered in a programming tool that exposed two-thirds of all websites to potential hacks. Earlier this week, the New York Times ran a front-page story on the defect, know as "Heartbleed." It was found in an important, widely-used programming tool called "OpenSSL."
My first impression when I read the Times article was that the full extent of the "Heartbleed" threat is not known yet. Fallout from the potential threat has been followed throughout this week in the mainstream media. The consensus appears to be that pinpointing where the "Heartbleed" vulnerability was exploited is almost impossible.
At the very least, "Hearbleed" exposed how fragile the infrastructure is supporting Web security. An article in the most recent Wall Street Journal Weekend edition said 11 people, all of whom live outside the US, work on this important piece of the Internet. The foundation the group works under is funded by the US Department of Homeland Security and the Defense Department, the article said.
Whether the US government knew about "Heartbleed" is unclear, as I understand it. A recent article in the Times said the government denied knowing. There was speculation on Twitter that the US may have actually hoped to keep "Heartbleed" secret. Never-exposed vulnerabilities, called "zero-day vulnerabilities,” are exploited in cyber-attacks. Some on Twitter said they thought the US government is stockpiling these vulnerabilities. The US and Israel are suspected of using a ‘zero-day attack’ against Iran in 2010, deploying what is called the "Stuxnet" virus.
Twitter has been a pretty good source of news on this topic. This seemed likely at the outset. Internet privacy is technical, new, and opaque, making it hard for reporters to communicate to a wide audience. Some websites have issued statements warning users to change their passwords. I recommend an article by MIT Technology Review for a good description of “Heartbleed” and the websites it could affect.
My first impression when I read the Times article was that the full extent of the "Heartbleed" threat is not known yet. Fallout from the potential threat has been followed throughout this week in the mainstream media. The consensus appears to be that pinpointing where the "Heartbleed" vulnerability was exploited is almost impossible.
At the very least, "Hearbleed" exposed how fragile the infrastructure is supporting Web security. An article in the most recent Wall Street Journal Weekend edition said 11 people, all of whom live outside the US, work on this important piece of the Internet. The foundation the group works under is funded by the US Department of Homeland Security and the Defense Department, the article said.
Whether the US government knew about "Heartbleed" is unclear, as I understand it. A recent article in the Times said the government denied knowing. There was speculation on Twitter that the US may have actually hoped to keep "Heartbleed" secret. Never-exposed vulnerabilities, called "zero-day vulnerabilities,” are exploited in cyber-attacks. Some on Twitter said they thought the US government is stockpiling these vulnerabilities. The US and Israel are suspected of using a ‘zero-day attack’ against Iran in 2010, deploying what is called the "Stuxnet" virus.
Twitter has been a pretty good source of news on this topic. This seemed likely at the outset. Internet privacy is technical, new, and opaque, making it hard for reporters to communicate to a wide audience. Some websites have issued statements warning users to change their passwords. I recommend an article by MIT Technology Review for a good description of “Heartbleed” and the websites it could affect.
Just read about this, Angus--hope our site is okay.
ReplyDelete