Security vulnerability with its own logo and marketing: Did 'Heartbleed' backfire?


First of all, what do you call the class of thing that Heartbleed is? Even local TV news websites have done a relatively good job the past few days in using the appropriate language to describe Heartbleed, usually by way of running the Associated Press story with little or no alterations.

It is certainly a gaping security hole, though it's a hole in a system that wasn't exactly watertight to begin with (for more, see exhibit A, exhibit B, exhibit C and exhibit D... shall I go on?). As FierceEnterpriseCommunications reported Wednesday, its cause is most likely the use of a library code shortcut that wasn't properly checked for bounds violations, enabling a type of function call called a "heartbeat" to reveal chunks of memory to which it's not entitled.

But what we call it is important, because as journalists, our job should be to present the facts that prevent fear and panic. At least a few local TV news broadcasts Wednesday were guilty of mischaracterizing Heartbleed as a "breach" or a "virus" that steals passwords. And one San Diego reporter went so far as to interpret Heartbleed as a fake Web site that enters your own computer and steals your passwords and financial data.

"Once someone allows a fake Web Site to enter, Heartbleed can gain access to memory storage and steal financial data of credit card numbers and other sensitive information," the reporter really did write. "It compromises passwords and has stolen some Yahoo passwords reported yesterday on CNET site this morning."

As another news site describes it: "Seen as possibly the worse case scenario for such a virus this one wasn't found on one website, or even multiple websites, but in fact part of code that was initially designed to keep servers secure." Such substantiations of Heartbleed as not only a virus but a malicious actor may have prompted the U.S. Congress to enact security breach protocols, as reported by Roll Call, the day-to-day journal of Congressional activities, which itself described Heartbleed as a malicious virus.

What's more, TV broadcasts are presenting the Heartbleed logo (when you think about it, when does a bug get its own logo?) in an ominous motif, like a calling card left by hackers or an anonymous activist group.

You have to admit, as a marketing tool, the trade name and the logo did their job in getting the word out to Internet users. But as Codenomicon--the security firm that discovered Heartbleed--openly admits, there isn't really much that users can actually do about it, except apply pressure on websites using OpenSSL to upgrade to version 1.0.1g.

It's usually malware that gets the comic-book-villain motif treatment. As the man who helped coin the name for one of the first huge, worldwide worms told me seven years ago, in retrospect, the application of motifs in the first place not only confuses everyday users, but opens up more possibilities for the "script kiddie" variety of malicious user to make use of the malware before the software it threatens is patched.

FEC asked Codenomicon spokesperson Ari Takanen how it was that a security hole came to have its own, high-class marketing logo, as well as a blog, just minutes after someone in the security development field blurted out the hole's existence?

"We felt pain while analyzing and recovering from the bug," responds Takanen. "Based on our past experiences in reporting vulnerabilities, we had a feeling that this one called for a 'Vulnerability Coordination 2.0' approach to get the information out to everyone in a democratic way."

One of the firm's own experts came up with the name, Takanen continues, and the team declared it fitting. The domain with that name was registered, and the firm's own artist drew up the logo.

"We wrote a Q&A to support the vulnerability coordination when reaching out to the vendors and service providers," he goes on. "Much faster than expected, others went public with the bug, and we felt that the Q&A could help the public as well."

Indeed, the complete information provided by Codenomicon did result in less than the usual amount of confusion from the general press about the nature of the bug. While there were cases of panic, they were isolated; for most third-party sites, the story was more often mutated by bad grammar than by miscomprehension.

Sadly, it takes a discovery of this magnitude of ignorance of basic security to prompt any substantive public discussion of the integrity--or lack thereof--of the Internet at large.

For more:
- see the article
- this NewsChannelDaily article

Related Articles:
Sloppy coding blamed for worldwide SSL 'Heartbleed' vulnerability
Heartbleed bug could bleed millions of usernames, passwords [FierceITSecurity]