It's called the Heartbleed bug and it's as awful as it sounds – at least when it comes to the enormous risks posed to supposedly safe and encrypted data.
The problem is so serious that it prompted the Canada Revenue Agency to temporarily shut down online services for taxpayers at the height of tax-filing season to ensure "the private information of Canadians remains safe and secure."
Coming after a string of cyberassaults on major U.S. retailers, this latest global security threat is bound to make consumers ever more skeptical about the safety of the sensitive information they have been routinely entrusting to governments, banks, insurers, retailers, hospitals and all manner of other service providers. And they should be.
The plain truth is that many organizations spend far more on touting their wares and services online and making their web sites as user friendly as possible than they do on safeguarding information. The Heartbleed bug underscores the dangers that lurk in the underbrush, ready to ambush even the most sophisticated of Internet players. And it ought to prompt much more serious investment in strong security measures and the capacity to quickly detect flaws and squelch breaches.
Unlike the malware attack that resulted in the stunning theft from Target Corp. of about 40 million payment card numbers and some 70 million customer records, the Heartbleed bug was not concocted by some clever teenage hacker for criminal clients. It's a critical software programming glitch in a data encription standard called OpenSSL, one that has existed for the past two years. OpenSSL is widely used to safeguard traffic between web users and a vast number of servers storing data for a majority of web sites.
These include sites operated by the likes of Google, Facebook, Amazon and Yahoo. The first three fixed the glitch before it became public this week, and Yahoo is partway there.
The flaw leaves OpenSSL open, alright… to hackers. They can intercept reams of data, really everything stored in a computer's memory. This includes all manner of sensitive personal and corporate information, ranging from passwords and credit card numbers to emails and confidential documents.
Codenomicon, the Finnish cybersecurity company that (along with a Google Security specialist) uncovered the gaping security hole, attacked its own defences as a test. Without leaving a trace, its experts managed to steal secret encryption keys, user names, passwords, emails, instant messages and critical business documents and communication. The keys are the big prize in the cereal box, because they make the encrypted data readable.
Although Internet companies are rushing to close the security breach, the extent of the potential damage is so vast that Heartbleed has triggered earthquake tremors across the digital universe. It has also prompted a wave of "I-told-you-sos" from security-conscious Cassandras, who have long warned about such threats – not least RCMP commissioner Bob Paulson, who wrote to Public Safety Minister Steven Blaney that "this growing threat significantly impacts the economic prosperity of our country, as well as individual Canadians."
Governments, organizations and businesses may not have grasped the need to devote more resources to protecting information. According to research firm IDC Retail Insights, retailers are expected to spend $720.3-million (U.S.) on cybersecurity in 2014 – a figure dwarfed by their total tech spending for 2014, estimated at $36.34-billion.They may be hoping that the rising frequency and size of such attacks might be mitigated by the possibility that everyone will be affected at once. Too bad the costs of cybercrime are not being equally distributed. While the CRA closed its site, its equivalent U.S. agency, the Internal Revenue Service, did not. And Target faces heavy lawsuits over its security breaches, which, given a furiously competitive U.S. retail landscape, must have J.C. Penney and Sears breathing copious sighs of relief.
Sooner or later, a mega-hack is going to sink a business, or seriously undermine a government. Despite the high costs, organizations increasingly can't afford to take the risk of being the victim.