Books written by Ray Sullivan

Tuesday, 22 April 2014

Heartbleed - two weeks (or two years) on

It almost felt like normality to discover that a fault in the IT security systems around the world had been found, not leaked by a 'whistleblower' or instigated by a government agency. To avoid getting too technical, what the programmers who wrote the code that forms the key cabinet to the main security keys that allow interaction between some servers did was use the best locks available and then placed the master key on a hook alongside. In theory anyone passing this point could unlock the door, copy all the keys inside and then lock the door again, leaving no trace. They didn't even need to bring a virtual bar of soap along (side issue - has any key cutter ever accepted an impression of a key embedded in soap, and if so is it really doable?)

Of course, if you've read my books or sat at the bar with me for an evening will know that I'm reasonably receptive to the odd conspiracy theory. I've also been around long enough to realise that people goof up often enough to make it normal behaviour to be ready to apply Occam's razor too. Here's my take: I don't believe the Heartbleed code to be the work of a criminal activity unless this is a very specialised criminal with very specific goals. Because many of us change passwords relatively frequently, but not as frequently perhaps as industry suggests, there remains a sizeable proportion of people who rarely change theirs. The longer you leave a password, the greater the chance it will be compromised would appear to be an intuitive rule, but of course it's wrong. It's how often you use it and what it protects that forms a greater rule regarding its potential to be hacked. Nonetheless Heartbleed has been around for two years and no major uptick in cyber crime reported. There's been an increase at attempts, sure, but these are from players who were clearly unaware that they simply had to take the key off the hook.

So it's probable that the fault has lain dormant and unnoticed all along. The criminals attempting to break into our bank accounts have been using the equivalent of bricks, crowbars and TNT when the key was under the plant pot. The biggest risk was the period between the news breaking and the patches being applied, when the criminal fraternity would be scrabbling to take advantage of the problem. There remains a residual problem that the security certificates may have been copied, in that virtual bar of soap, so servers need new certificates to be sure. My take is that a lot of organisations are going to incur some cost over the next few months (although this precaution should be done now for high risk servers) and some certificate salespeople are going to get a really good bonus this year.

So much for the rational side of the brain, what about the conspiracy theory? Well the NSA and GCHQ agencies have come under a lot of stick lately for reading our emails etc. As I've said before, they can read mine anytime they like, I'll bcc them if it helps, but wouldn't something like Heartbleed be a cheaper and easier way of getting around encryption than developing super-powerful computers to decrypt our last minute shopping lists (milk, coffee, C4, timer, bread)? And maybe leaking a security breach before Snowden reveals it anyway, but after a more secure and harder to find backdoor has been developed, is a convenient way of diverting attention?

But don't mind me, I've just finished writing a book, Assassin, that deals with a future British government so paranoid about terrorism that it would do anything from curtailing civil liberties to reading every email of its subjects just to try and control events. I didn't put Heartbleed in - that story broke after I finalised the book and set it up for pre-order, but it would have fitted like a glove. If governments gone wrong is your bag, be sure to check out Assassin.

Visit my Book Website here

    Visit Project: Evil Website here                                        Visit DLF Website here

        Follow me on Twitter  - @RayASullivan

        Join me on Facebook -  use to find me

No comments:

Post a Comment