For the past day and a half, the Internet has been abuzz about “Heartbleed,” a sinister-sounding security flaw that has rendered a massive chunk of the Web vulnerable to attack.
No less an authority than Bruce Schneier — a leading computer security expert, author and fellow at Harvard’s Berkman Center — wrote that the implications of Heartbleed are “catastrophic.” “On the scale of 1 to 10, this is an 11,” wrote Schneier, hardly a hand-wringing Cassandra.
Already a thousand explainer articles have been written about Heartbleed, which even has its own little logo. The flaw was only recently uncovered in OpenSSL, the standard encryption many sites and online services use to keep your username and password encrypted. At its disclosure, some 17 percent — or half a million — of the Internet’s secure web servers were believed to have been vulnerable to the attack.
In theory, a hacker can exploit the vulnerability without leaving a trace to access passwords, encrypted communications such as instant messages, and credit-card information. The implications for major publishers and online retailers is simply astonishing. Just changing a password is not necessarily going to help anything — here’s a fairly comprehensive list of passwords you should change (Facebook, Gmail), and those you don’t need to worry about (Amazon, PayPal).
Digiday spoke with David Chartier, CEO of security firm Codenomicon, about what brands and publishers have to worry about — and whether the press has gotten the Heartbleed story right so far. Excerpts:
What do big publishers and online retailers need to do here?
The key thing is if you have a Web presence, you need to find out if you’re using OpenSSL. It’s pretty simple: your IT department knows what they’re using. The good thing with this bug is the fix is pretty simple: upgrade to the new version with the patch and revoke your old encryption keys. Then get issued new encryption keys. If you don’t do that, the attackers theoretically still have your encryption key and are able to decrypt your traffic. Go through your vendor, who will issue you new keys. Once that’s done users can change their passwords.
Has anyone not done this or had any trouble doing it?
All the top Internet assets have already done this. They have processes in place to roll this out. They’re able to do this fairly quickly.
What if you’re a small online retailer without an IT department?
If you’re a small business, you might be better off shutting down — going offline — and don’t use it until you can get it confirmed from your service provider so you don’t have to worry about being hacked. At Codenomicon we only really deal with really large companies. All our clients seem to be on top of it. I’ve have people I know, friends running ecommerce sites, and they don’t know anything about anything. They need to contact whoever they’re getting their service from and ask them simple questions: are we using simple SSL? Have you upgraded?
It’s probably a good time to be a vendor providing these new encryption keys.
You can imagine the certificate providers are pretty busy these days. You have a huge chunk of the Internet asking for these certificates.
A lot of businesses can’t really afford to just go offline, though.
Those are really your two choices: Do the upgrade or turn the service off. The Canadian IRS closed their system. They needed to do quite a lot of work to do these upgrades to make sure no one was compromised. I think they took a prudent approach.
No one knew about this before last week. Are hackers having a field day right now?
It’s hard to say. I know a number of security firms have set up honeypots on the Internet to try to determine if there’s any activity out there. The challenge you have with this bug is that it doesn’t leave any forensic traces. After we hacked ourselves we couldn’t find any trace that we’ve been there. Unless somebody hacks a honeypot and the honeypot owner discloses that, it’s going to be very difficult to determine if it’s been exploited or not.
Has this been overblown, under-blown or appropriately-blown?
I say it’s an appropriate response given the severity of the threat. The Internet is a whole lot safer than it was a week ago thanks to the security community and the media.
So it’s now safe to buy things on Amazon and sign in to read the New York Times?
I don’t want to call out any individual websites, but I would say it’s pretty safe on Amazon.
Has the media gotten the story right?
I would say that a vast majority have gotten it pretty right. There’s been a lot of talk about how important it is you change your password. It is. But you have to do it at the right time. It doesn’t help to change it unless your SSL has been upgraded and you’ve been issued the certificate. Changing the password isn’t a fix in itself. But overall it’s been good reporting.
Marketers bring Web3 to the FIFA World Cup with augmented reality, NFTs and virtual worlds
The month-long tournament, which begins this weekend, will be the first World Cup since it took place in Russia in 2018 long before “Web3” entered the global lexicon. Now, official and non-official sponsors are hoping to harness the hype with a range of NFTs, virtual worlds, augmented reality tools and other trendy tech.
U-Haul diversifies its social strategy to tell people it’s more than moving trucks
In recent years, U-Haul's in-house agency has been working to "better leverage social media for brand loyalty."
Google’s Privacy Sandbox is coming to Android
Google's MAID will be phased out, here's what you need to know.
SponsoredHow brands are measuring incremental performance on CTV
Connected TV is unique among other advertising channels because it combines linear television’s storytelling capabilities with digital marketing’s targeting and measurement. As more marketers leverage CTV advertisements to reach relevant and engaged audiences, they also want to understand the real value they are generating with their investment. Incrementality reporting and measurement allow advertisers to measure […]
Digiday+ Research: Instagram wins over Facebook for role in brands’ holiday marketing
Brands differ on how they use each marketing channel during the holidays -- even when it comes to sibling social media platforms Facebook and Instagram, Digiday+ Research found.
How — and why — Candy Crush is in the midst of a 10th anniversary brand refresh
In the years since Activision Blizzard acquired the Swedish game studio King in 2016, employees at the gaming giant have started to internally refer to their company as “ABK” — that is, Activision Blizzard King. But the corporation’s recent financial reports indicate that “KAB” might be a more accurate abbreviation.