The problem with websites…
You can be anywhere in the world and people can still break in. This applies to houses, cars and other locked places – including websites. Of course websites don’t have locks like doors. But they do have sophisticated security. Like any security, software can be broken into. Usually people can break into servers because there is a software vulnerability. The problem is these flaws are not visible. You have to know they are there to exploit them.
Software vulnerability – the problem
In most cases even the programmers don’t realise their software is flawed. If they knew there was a software vulnerability they would have “patched” it – made a fix for it. Unfortunately the public only find out about flaws when they become a problem. The problem arises when the discovery is made by a criminal or a hacker. They exploit the flaw for illegal gain.These exploits sometimes mean thousands of people have their passwords stolen, or accounts compromised. Often it involves finances, personal information or details of a sensitive business nature. Peoples lives, financial security and personal data may be compromised.
Building a computer application is complex. In most cases the software takes months or years of coding. Completing an application means many versions. Lots of people are involved. There are many techniques and skills needed. There is always potential for mistakes. Software vulnerability is actually quite common. Those mistakes are found more regularly than the public realise.
Companies often find software vulnerability and flaws in their own software in routine work. Bugs, errors, slight malfunctions all lead them to discover issues. These are fixed routinely. You probably update your computer. Well, these “updates” are normally bug fixes and security patches. You have to load these “updates” regularly. Often there are many fixes in each. Sometimes the fixes themselves contain flaws. The sheer complexity of software creates these problems. There is an almost infinite cycle of flaw and fix in software.
Criminals are a battle-force. Company programmers fix problems that come up. In most cases they don’t hunt them down. But, criminals do hunt down these software vulnerabilities to exploit them. They keep them secret to covertly use them for as long as possible. Once the word gets out the “patches” start being made. When the problems get fixed the criminal loses income.
The “Heartbleed Bug” is the latest software vulnerability to hit the Internet. It exploits a vulnerability in a security protocol (the OpenSSL protocol) used as an Internet standard. It’s used globally.
The Heartbleed Bug is something called a “buffer overflow”. This is where there is left-over space in data or transmissions. This empty space can be used by criminals to send or receive data or code to compromise servers. Control code can be sent to the server and sensitive data retrieved. All of which is undetectable. The Heartbleed software vulnerability was introduced in 2012 in an update to an existing standard. Here is a detailed technical explanation of the Heartbleed Bug .
The lesson for the public
What this means for you and me is simple. Our passwords, accounts, information – whatever we hold on Internet-based servers is vulnerable. Always. It may be happening now. It has happened recently with the Heartbleed Bug. Many large and popular websites have been compromised by this bug .
At any time software vulnerability exploits can be discovered and our personal worlds can be rocked. Identity theft, damaged finances and releases of personal information and files can all be exploited or destroyed. We cannot tell when it will happen, or how. But it’s always possible. It is also probable. One day a software vulnerability will affect you.
There are three lessons to take away from this…
- Change your passwords regularly. It minimizes the risk of illegal access to your accounts and files.
- Protect your data. Use secure connections. Use only well known websites and reputable companies. Minimise personal data you put on websites – even if secure.
- Update your own computer regularly to protect against known software vulnerability.
It is a fact of life that Software vulnerability can create access to secure locations – anywhere. This access can be used by anyone who knows about it. So this is a problem that reaches beyond our personal files and data.
The lesson about Government
We know that criminals are culpable in software vulnerability cases. We have numerous examples. Data has been stolen, computer systems compromised and criminal activities have taken place. Beware the criminal. But the problem goes deeper. In a way it is more sinister.
The Heartbleed Bug has been around since 2012. Of course in most cases such software vulnerability is addressed as soon as it is discovered. However, one of the big issues to come out of the Heartbleed affair is that the U.S. National Security Agency (NSA) knew of this bug and allegedly exploited it. Initially they declined to comment. However, after the Heartbleed Bug was made public it has become clear that the agency did know of it.
Agencies like the NSA routinely use exploits like Heartbleed to spy and monitor the “enemy”. We would expect that. However, an exploit of this magnitude is a huge security flaw. The Heartbleed Bug is reputed to be a security flaw in as many as two thirds of the worlds servers. It creates a dilemma.
A national agency has responsibility for protecting the nation from enemy action. It also has a responsibility for protecting its citizens. A security vulnerability that opens up such a huge hole in Internet security is a problem of vast magnitude. Literally millions of US citizens and other allied countries were vulnerable to this bug. That includes the possibility that citizens could be attacked by criminals and foreign governments. Not just private citizens could be attacked, but critical personnel too. The good judgement of an agency should be questioned when they compromise the information safety of millions for the ability to spy on a few.
We have an expectation that our governments should take protective action when a threat is detected. The NSA have undermined that trust . They deliberately left most of the population vulnerable and took no action. It raises questions about the accountability and judgement at senior levels of the NSA and similar agencies. I am certain that the UK and other government agencies are equally at fault if not involved.
Software vulnerability is a problem that needs fixes
But Software vulnerability also creates enemies. In this case criminals, terrorists and Governments have, by action or inaction, become our personal enemy.
Personally we should be vigilant about our privacy and security. We should also be mindful of the dangers of arrogant Governance. We should regularly question whether government can really be relied upon to protect our privacy and ultimately our security.
Comments, additions, amendments or ideas on this article? Contact Us
or why not leave a comment at the bottom of the page…