These days, everyone is trying to “break the Internet”; with Kim Kardashian’s backside or brand-new Chinese characters, everyone seems to be intent on doing away with the world’s greatest invention.
One year ago a security vulnerability came to light that could have potentially achieved this terrifying goal.
It had a name. It even had a scary logo. For a few days in April 2014, the world’s media did their best to explain a bug that could truly break the ‘Net. Its name?
And yet, according to a study released by Dashlane today, an alarming number of people don’t recall the Heartbleed bug. In fact, 86 percent of Americans say they have not even heard of Heartbleed.
That’s shocking, and the full study continues to deliver startling conclusions throughout.
Before we delve into the details of the report, which Harris Poll conducted on Dashlane’s behalf in March 2015 (and taking in responses from over 2,000 U.S. adults), it is worth explaining why Heartbleed was so potentially devastating.
When you visit a website, especially one that has an e-commerce capability — such as shopping sites — they may have protection thanks to a secure connection. To enable this, website developers use security protocols to provide a secure connection.
The most popular implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols that make this security possible use an open-source cryptographic library called OpenSSL.
Heartbleed was a serious vulnerability in the OpenSSL library that enabled hackers to steal information that would normally be protected. It allowed anyone on the Internet to read your usernames and passwords if they knew how to leverage the bug. It allowed attackers to see your content. It enabled them to eavesdrop on communications, and steal data from the services you were using. It even let them impersonate both services and users.
At the time we discovered Heartbleed, it was estimated that 66 percent of all web servers used OpenSSL. Most major websites, and a few million minor ones, were affected. And if you were one of the bleeding-edge users (pun intended) that understood this kind of thing and stayed on top of security breach news, changing your password wouldn’t have done anything for you.
You needed to wait until the website in question had updated OpenSSL to the new, fixed version, and then change your password afterwards. Changing it before the fix was put in place left you vulnerable to hackers grabbing your new password anyway.
On the eve of the very first Heartbleed-aversary, Dashlane has revealed that the future of personal security is more troubling that ever in a new study, released today.
I asked Emmanuel Schalit, the CEO at Dashlane, to explain the most shocking finding from the report.
VentureBeat is studying email marketing tools.
Chime in, and we’ll share the data with you.
“The most startling finding was that almost nine out of 10 Americans have never heard of Heartbleed, which was arguably the most dangerous and widespread security flaw of in the modern digital age,” Schalit said. “Flaws like the ones we’ve seen in the past 12 months, including Heartbleed and others like ShellShock, can potentially affect everyone using the Internet.”
That’s a big issue, because it means that — most of the time — computer users are leaving themselves wide open to fraud.
“The fact that most people haven’t even heard of these major events, let alone taken the minimum appropriate action to safeguard their information, shows the immediate need for a massive campaign to educate the public,” Schalit said.
And yet the full report tells us that users generally believe that they are the best people to manage their security.
Nine out of 10 might not have been able to recall Heartbleed, but 32 percent chose themselves (more than anyone else) when asked which organization or person(s) they expected to do the best job protecting their interests from hackers, breaches, and online security threats.
While websites are often protected using OpenSSL, the library is also used to protect email. This is an area of particular concern, because the report deals another startling statistic.
“Our study found the majority of people (72 percent) were most concerned with their Social Security numbers, bank information and credit card numbers,” Schalit said. “Yet, only 1 percent said email was their greatest area of concern of hackers getting access to.”
And that, in anyone’s terms, is a huge problem.
“If you look at the trove of information that is stored in the average person’s email account — passwords, addresses, contact information, finances, and more — you quickly understand why email is targeted so frequently by hackers,” Schalit said. (Update: Dashlane now has an email scanner that checks your inbox for potential security issues.)
As part of its Heartbleed Study, Dashlane assembled a team of experts from the realms of business, advocacy and academia to provide the public with an assessment of the fallout from Heartbleed, as well as analyze the online security and privacy challenges that lie ahead.
With contributions from the likes of Nuala O’Connor, the CEO and president of the Center for Democracy & Technology; Catherine Lotrionte, the director at the Georgetown University Cyber Project; Todd Simpson, the chief strategy officer at AVG Technologies; and Sunday Yokubaitis, the president at Golden Frog, today also sees the launch of an explanatory video to accompany the report.
One year on from the discovery of Heartbleed, Internet security concerns continue to make weekly headlines, and while the biggest of these breaches may cross over to the mainstream media, the message doesn’t appear to be getting across to the masses.
If you’re one of the 86 percent who can’t recall Heartbleed one year on, or the 99 percent who aren’t concerned by email security breaches, you’ll find the full report and a number of other resources available right now.