TORONTO – It is still unknown what the repercussions will be for users affected by the Heartbleed bug that may have put millions of passwords, credit card numbers and other personal information at risk.
But the fallout from the major security flaw may result in changes to the way security audits are performed on open-source software.
Chris Parsons, a post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs, said that there has been an increased call for outside security audits for OpenSSL, the security system affected by Heartbleed.
“Researchers have been grumbling that OpenSSL and other highly-relied upon security libraries need to be subject to more ‘forensic audits’ by professionals to identify and patch flaws before they are exploited in the wild,” he said.
Heartbleed was discovered by a team of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately.
The flaw affects OpenSSL – a widely used open-source set of libraries for encrypting online services.
Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed.
What makes it more frightening is that hackers could also grab the keys for deciphering encrypted data and leave no trace of ever being there.
“This is probably one of the more devastating kinds of security vulnerabilities that comes up and it’s because it’s a very commonplace implementation error,” said Parsons.
Part of this is due to the small number of people working on OpenSSL.
According to a report by the Wall Street Journal, OpenSSL is managed by only four core programmers.
The cyber security expert added that other vulnerabilities could still be lurking in OpenSSL.
“The team that works on OpenSSL is very small and they do very good work, but there are a lot of lines of code and this was exploiting a very small piece of the OpenSSL package,” he said.
“It’s entirely possible that there may be other flaws in OpenSSL libraries.”
Fallout may spark more interest in specialized security services
Users also may be tempted to examine new security measures in light of Heartbleed.
“The discovery of this flaw has likely made people feel that the security of their online activities cannot be taken for granted. Security systems are designed and implemented by real people and mistakes happen, but one of the weakest links in the chain that has come under scrutiny for years is the old text password,” said Karl Martin, CEO of Toronto-based biometrics firm Bionym.
“People realize that this remains the most common point of security breach, and the time is ripe for transition to new technologies, such as biometrics.”
For now the best Internet users can do to protect themselves from the aftermath of Heartbleed is change the password to any accounts associated with websites that have been affected by the bug once the website confirms it’s deployed a fix.
But the idea behind biometrics is that only the user would be able to gain access to an account by using unique identifiers from their own body – which would eliminate the risk of someone being able to hack the account if they got a hold of the password.
Biometric technology – using identifying features (like fingerprints) from humans to authenticate actions on devices – is quickly moving into the mainstream.
Both Apple and Samsung have released smartphones with fingerprint scanning technology to replace the old four-digit passcode and experts believe that biometrics will become more popular thanks to the wearable tech boom.
Felix Müller-Irion, CEO of Lavaboom – a secure email provider based in Germany, told Global News the company saw pre-beta sign-ups increase by a third after the Heartbleed revelations made headlines.
“If you consider half the global population uses the Internet, this is a colossal defect in the way we communicate and protect our privacy. I think we’re going to be seeing many more people switching to encrypted mailing,” Müller-Irion said.
Müller-Irion believes that flaws like Heartbleed, combined with cyber surveillance concerns, will cause more people to move towards secure email providers.
“If your email is compromised then you’re in a terrible situation, email accounts act as our master key to our activity on the Internet. When your email is hijacked it’s not just your entire online presence that’s hijacked, it’s going to have serious repercussions on your life in the real world,” he said.
The company said it was not affected by the Heartbleed bug.