I’m cool, right?
I mean, I know this Heartbleed web browser bug has a big scary icon with blood dripping from a heart, and people are freaking out left and right about whether they’re supposed to change their passwords or WAIT to change their passwords or just stay away from the Internet altogether for a few days and crawl into that bunker where we’ve stashed automatic rifles and cans of pork and beans.
But really, how terrified should I actually be? Most of the news reports presume that you’re already in full-blown panic mode about Heartbleed, a pernicious bug that basically means we can no longer trust that Facebook is actually Facebook and not some jerk teenager who broke into Facebook and is pretending to be Facebook so he can watch you type in your password and then steal it and then post embarrassing photos of yourself on your own wall. They presume you’re actually concerned about having your password stolen, despite that at least a few of you have stepped away from Buzzfeed long enough to yawn and shrug and figure that probably nothing bad will really happen—at least, not to me.
Someone grabs my credit card info and buys a couple iPads, fine. I’ll dispute the charges and get a new card and life goes on. Someone hacks my Twitter? Whatevs. They’ll send out a few obviously fake links to a few of my followers and I’ll figure it out soon enough and life goes on.
But here’s the thing about Heartbleed: it’s really super awful—potentially. And neither changing every password you can possibly change nor crawling into a bunker and stuffing your face with pork and beans will save you, or any of us.
Yes, we do in many ways live in kind of a cybersecurity gilded age. Gone, mostly, are the days when having your identity stolen means weeks or months of screaming at people who work for collections agencies, or banging your heads against the walls of credit agencies that left indelible scars on your score. But the problem with Heartbleed, say privacy and security experts, is that way more people are way more exposed than they’ve ever been.
“Your imagination is really the limit here,” says Brian Krebs, a journalist and security expert who penned a helpful guide to mitigating Heartbleed at his blog. “I just did an interview with a guy who had his taxes filed by a fraudster, who requested his refund be sent to a prepaid card and an address that wasn’t his. They also got access to his employer’s benefits records, stole his dependents’ information and started filing tax returns on them too. That’s a nightmare scenario, right there.”
And what if a Heartbleed hacker starts going after admins? Pilfering the passwords of human resources departments and massive companies, unlocking sensitive information about huge swaths of people? What if they don’t just buy a few things with your existing credit cards but open up entirely new lines of credit in your name, that you don’t find out about after your unpaid bills wind up at a collection agency? What about these clouds we keep all our pictures and music in? What if someone pops into one of those databases and drops some cyber-napalm on the whole thing, erasing our most precious of memories? What if they start breaking into your email account, which is basically a skeleton key of information, when you think about the fact that password resets are readily and easily shipped off to whatever email address you used the first time you established any online account?
“This is front-page news for a good reason,” Krebs says. “It’s a very serious problem, and it impacts a ridiculous number of people.”
As in, hundreds of millions of people, on two thirds of the websites that use encryption.
So yes, run, flee, figure out whether the sites you use are actually vulnerable, but before changing your password make sure those sites have actually fixed the problem and then change your password and go back to Game of Thrones. You’re cool.
Except, you’re not. Because the cybercat is already out of the bag.
See, Heartbleed didn’t just temporarily neutralize all these websites’ individual force fields for whatever period of time it takes all these website administrators to reinstall them. Heartbleed exposed the encryption keys of the sites themselves, allowing clever hackers to steal them and completely cloak themselves in that website’s visage. So yeah, maybe a website re-secures itself and then warns everyone to change their individual passwords, but that jerk teenager has in the meantime stolen the master code, says Yan Zhu, staff technologist at the Electronic Freedom Foundation. The padlock returns, the password has changed, but a rat is hiding inside the vault.
“Now, someone can use that power and pretend to be banks, pretend to be eBay, pretend to be Yahoo Mail,” Zhu said. “This is a very difficult problem.”
And what’s scary is this: no one really knows whether anyone has any of these private keys. Some hackers have claimed they snagged some keys, Zhu tells Newsweek, but there’s no proof.
“The problem is, these keys are very difficult to replace in the real world,” Zhu said. If you lose one, you have to go buy a new one and update your website. It’s often a very complicated process. For smaller websites, people might not know how to do that.”
Some companies will assume their keys have been stolen, and go buy new keys, which they have to do every few years anyway or you’ll get one of those funny error messages asking if you still “trust” a website because its certificate has expired. But if a thief stole the old key, they can still hop onto a public wireless network or into your service provider and pretend to be Bank of America. You’ll get no error message. There’s no way to stop that. Change your password every five minutes. It doesn’t matter. It’s like in a crime thriller, where a blubbering victim calls 911, only the bad guys have the line hacked and they send an ambulance full of assassins.
“On the web, there’s no good way for sites to tell users their private key has been lost,” Zhu said. “The user doesn’t know what key is the right one, so all they know is at some point Bank of America at one point showed them a valid key, and they keep seeing that same key.”
If that makes you feel a little helpless, it’s understandable. Hackers make full-time jobs of stealing our data, and no matter what steps either individuals or corporations take to protect it, there’ll always be a new vulnerability around the corner.
“Breaches are the third certainty in life,” Adam Levin, chairman and founder of Identity Theft 911, tells Newsweek. “There have been over 1 billion files since 2005 improperly accessed. We’re operating in a post-privacy environment. It can happen, it will happen.”
That’s why Levin recommends “breach response plans:” you plot not for how to stop a hack, but what to do once it happens. Individuals should race to check their credit reports, ask credit bureaus to place fraud alerts on their accounts and freeze them. Companies should have a long set of procedures in place, outlining how to notify customers there’s been a breach, how to shore up the data once it’s exposed and how to refortify the firewall after an invading army has climbed atop it. Expect a run on hiring for chief privacy and information security officers.
“We have to focus on monitoring and damage control more than ever before,” Levin said. “What is your disaster recovery plan, if you’re a company operating online?”
Target, for example, handled the breach of its customers’ credit card information poorly, Levin notes. “They did a number of the right things, but in a time frame that didn’t work. Consumers started to feel like you had to drag the information out of the people at Target. Plus, they tried to set up their own response and people were sitting on hold for hours,” he said. “It was killing their brand loyalty.” When Kickstarter discovered its database had been hacked, on the other hand, “they responded immediately.”
What would be ideal is some kind of a national protocol for such cyber breaches, Levin argues. Some states mandate immediate notification to consumers of a breach, but there’s no such policy at the federal level.
Another critical next step, adds Zhu, is a fairly simple one: install a software program known as Perfect Forward Security on your site. An option on many encryption systems, it ensures that if a site loses its key, that key can only be used to decrypt future communication, not the past.
“Most people didn’t know you could choose cryptographic systems with that property,” Zhu said. “Or they assumed it might slow things down. Usually it’s just a flip of a switch.”
Terrified yet? Consider another wrinkle: Heartbleed has existed for two years. That entire time, two thirds of encrypted websites could have had hackers parked inside of them, lapping up social security numbers like a pig in a trough.
So, obviously I’m not cool, and neither are you. This is the virtual equivalent to the whole world leaving its front door unlocked. Maybe no one will walk in and steal our PlayStation 3s. Maybe there are already four hackers hiding in the shower.