Thursday, May 1, 2014

Many US internet users believe they were hit by Heartbleed

Many Americans scrambled to protect their personal information online after learning of the Heartbleed internet flaw, and some believe their data was stolen, a survey showed Wednesday.

The Pew Research Center report found 39% of US internet users took steps to protect their data such as changing passwords or cancelling accounts.

Six percent of the online users said they believed they lost data as a result of Heartbleed, Pew found.

The Heartbleed flaw, which was undetected for more than two years, allowed hackers snatch packets of data from working memory in computers, creating the potential for them to steal passwords, encryption keys or other valuable information.

Most websites patched the flaw as part of a rush to allay concerns about the security of online information.

The Pew survey found mixed views on security of personal information online:

Roughly half —46% — said they believe their information is "somewhat secure," while 23% said their data was "very secure" and 26% not too secure" or "not at all secure."

The survey found 60% of the American public had heard at least a little about Heartbleed, including 64% of internet users.

Where’s the next Heartbleed Bug lurking? OpenSSL | Linux Foundation | Intel | Insurability

After causing widespread panic and changing of passwords, the Heartbleed bug has largely disappeared from the news. Yet the implications of the discovery are still being debated across the computer industry. The biggest concern for security experts is how to preempt other flaws lurking in the Internet.

The Heartbleed bug was discovered earlier this month in a piece of software called OpenSSL that is widely used to establish a secure connection between Web browsers and servers by managing the cryptographic keys involved. OpenSSL is an "open source" project, meaning that the underlying code is published along with the software. It is maintained by a small group of volunteer programmers. The problem is being recognised by big software companies that rely on efforts like OpenSSL.

Last week, the Linux Foundation, which provides support for the popular Linux operating system, launched an effort called the Core Infrastructure Initiative to support small open-source projects. Companies including Google, Amazon, Facebook, IBM, Intel, Cisco, and Dell have so far committed more than $3 million to the effort. A steering committee will try to identify the open-source projects that most need financial support.

"The problem with open source is that you have the 'free rider' problem," says Chris Wysopal, a well-known computer security expert and chief technology officer and cofounder of Veracode, an application-security assessment firm. "People and companies who are using it, and getting huge value out of it, are not giving a lot of money to keep it going."

Even three weeks after the bug was discovered, some laggard businesses are still updating servers, installing new cryptographic certificates, and directing users to reset their passwords. More troubling for experts like Wysopal is that other foundational components of the Internet are, like OpenSSL, small open-source projects.

And it can be difficult to tell which may lack the resources needed to rigorously check their code for security vulnerabilities. Before the Heartbleed bug was discovered, few had heard of OpenSSL or the 11 developers who donate much of their time to the project. The OpenSSL Software Foundation, which handles the commercial contracting for the organisation, employs just a single full-time developer. It received a grand total of $2,000 in donations last year, and it has never taken in more than $1 ..

"There should be at least a half dozen full-time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work," wrote Steve Marquess, the official fundraiser and business contact for the OpenSSL Software Foundation, in a blog post shortly after Heartbleed was disclosed. "If you're a corporate or government decision maker in a position to do something about it, give it some thought. Please."

Marc Maiffret, chief technology officer at Beyond Trust, a security software firm, says other open-source projects face a similar problem. "People assume that just because something is open source there is this magical effort that goes on to find bugs and make it secure. But it usually starts with a couple of people, perhaps it gets popular, and then ends... with a couple of people."

Wysopal of Veracode says the key problem is that there is no way to gauge the importance of different pieces of Internet infrastructure: "If someone wanted to do widespread attacking of lots of sites, which components are on the front of the attack surface?" The challenge of predicting where big vulnerabilities may emerge is compounded by the fact that Internet programmers increasingly build their code using a range of different tools.

In a report released last year, a company called Aspect Security found that 26 percent of the libraries downloaded for use in applications had known vulnerabilities. "The problem is there are so many components that the software stack depends on," says Jeff Williams, cofounder and CTO of Aspect. "The Internet is a haystack full of needles."