From an e-commerce perspective, the software flaw known as “Heartbleed,” which lets hackers peer into supposedly secure credit-card transactions, is probably the most serious security menace yet to the Internet. Accordingly, this threat demands effective – and timely – countermeasures by the federal government.
The “Heartbleed” problem was revealed last week, but Bloomberg News reports that the National Security Agency knew about the flaw two years ago and kept mum. Experts believe other sophisticated hackers have also known about the bug for a while – though there are no reports of harm Yet.
However, the latest estimates say that countering “Heartbleed” will require changes to hundreds of thousands of websites, a process that could clog the Internet for weeks.
The troubles that arise from “Heartbleed” are only likely to get worse until Congress and the Information Technology industry get serious about setting some legal standards for Internet Security. The Obama administration said last week that businesses sharing information on web attacks and vulnerabilities will not be charged with antitrust violations. That’s a useful step, but hardly the solution the nation needs.
Luckily, the “Heartbleed” flaw in encryption software used in secure Internet transactions reportedly does not affect government sites or banks. And popular Internet sites like Facebook, Dropbox, OKCupid and Netflix have fixed the bug or are fixing it, according to The Washington Post.
But hundreds of thousands of other websites that use the same secure transaction software still have work to do.
Though individuals may be asked by companies they have done business with to change their passwords, experts warn that doing so prematurely may simply result in exposing it to hackers. So wait until you know that vendors have successfully fixed the bug.
“Heartbleed” is just one example of the myriad software vulnerabilities that crop up with every new software publication known as “zero days” because once publicly identified they have to be fixed in “zero days” to avoid exploitation by hackers.
Until recently the NSA avidly took advantage of “zero day” defects to improve its electronic warfare capabilities. The New York Times reports that it exploited four such defects to attack Iran’s nuclear enrichment industry, causing as many as 1,000 centrifuges to shatter.
In January, however, President Obama issued orders to NSA to see that such flaws are fixed immediately unless national security circumstances dictate otherwise.
The risk in letting “zero day” defects like “Heartbleed” go unfixed for extended periods is that other entities – including foreign governments and criminal hackers – might also discover and exploit them.
The “Heartbleed” fiasco tells us that the nation is not paying enough attention and devoting enough resources to cyber security.
When major national infrastructure like the electrical grid as well as tens of billions of dollars of e-commerce depend on the Internet, such inattention is inexcusable.