Thursday, April 10, 2014

Heartbleed: The Hack Catastrophe

The news that most websites were hit with a security hack made headlines this week, and there's a couple of layers of bad to report. Not only has the hack been running for years, repairs to patch the hole likely won't help.

I'll let the folks at MIT lay it out:

"A security bug uncovered this week affects an estimated two-thirds of websites and has Internet users scrambling to understand the problem and update their online passwords. But many systems vulnerable to the flaw are out of public view and are unlikely to get fixed.

"OpenSSL, in which the bug, known as Heartbleed, was found, is widely used in software that connects devices in homes, offices, and industrial settings to the Internet. The Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated.

"Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected, says Lieberman. “ISPs now have millions of these devices with this bug in them,” he says."

And, like others, I have to wonder if this security hack originated in operations via national spying agencies. It surely appears the spies were using the bug.

Knox blogger Glenn Reynolds recently suggested 5 changes to privacy laws the nation should adopt. But it seems too little too late. 

If the MIT gang is right, protecting your info may be forever elusive.