The Heartbleed bug dilemma: Disclosing a web problem also means alerting hackers
Online Security Breach
The Heartbleed software bug is not only one of the most serious online security breaches in recent memory, it has also demonstrated how difficult it is for websites to tell their customers whether they’re at risk or not.
The Heartbleed revelation “happened very rapidly, and it happened on such a big scale, that some sites have handled it better than others,” says Eric Skinner, vice-president of market strategy for the Tokyo-based internet security firm Trend Micro.
When to disclose?
“This is a classic problem with computer security vulnerabilities, which is: When do you disclose? How do you disclose?” he says. “Because when you disclose, you’re obviously giving people an opportunity to fix the problem, but you’re also providing hackers with an opportunity to exploit the problem.”
The Heartbleed bug was revealed on April 7 by Google and Finnish security firm Codenomicon, and affects Open SSL, a software program used to encrypt Internet communications. It has been estimated that two-thirds of web servers were vulnerable.
Loss of financial information, without leaving a trace
Security researchers say the breach allows hackers to access small bits of information at a time that could lead to personal and financial information stored on a website and steal that without leaving a trace. The Heartbleed breach is particularly risky for sites that handle e-commerce or
The Heartbleed bug exploits a vulnerability in a version of the Open SSL security software code that is installed on two-thirds of the active servers connected to the internet. (Sean Gallup/Getty)
Amazon said it wasn’t affected by the breach, while AOL said it was not running that version of the Open SSL software. It took Apple almost three days before issuing a statement Thursday that none of its mobile, desktop or web services would be affected by the Heartbleed bug.
“The nature of the vulnerability here is you don’t know if there’s a breach or not,” he says.
Google, for example, made its statement after patching its vulnerabilities. In a statement released Apr. 9, Google said, “We fixed this bug early and Google users do not need to change their passwords.
Heavy fines for non-disclosure
The Canadian government, however, is in the process of introducing a bill that would levy heavy fines on companies that do not report data breaches.
1. Do you agree that all security breaches should be disclosed to the public, even if the problem is quickly solved?
2. Is eCommerce safe, when hackers are able to obtain information without leaving a trace?
3. Are our computer software designers not doing a good job in designing safe software?
To read the complete article written by Andre Mayer, CBC News