On April 7, 2014, the security community first learned of the “Heartbleed” vulnerability, a flaw which affected upwards of 66% of websites at the time. The bug had been present in OpenSSL since December 2011, allowing attackers to access a site/server system’s memory and gather the secret keys used to encrypt and decrypt communications. Following news of the vulnerability, many companies rushed to implement patches and replace their certificates.
It has been a year since Heartbleed was disclosed, but while the information security community has dedicated much of its time and resources to understanding the flaw, the same cannot be said about ordinary users.
In March of this year, the password manager Dashlane commissioned a study, conducted by Harris Poll, to gauge public awareness about online privacy and security. The company found that despite having affected 500,000 websites, only 14 percent of Americans had ever heard of the Heartbleed bug.
Some other important findings of the study include the following:
- Only six percent of visitors to the top 100 websites have changed their passwords to those sites following the disclosure of Heartbleed.
- Approximately one-third (32%) of Americans believe they are responsible for protecting themselves online. However, 23% said tech companies should be responsible, while 24% admitted they did not know on whom the responsibility should fall.
- Nearly three-quarters (72%) of Americans are most concerned about protecting sensitive information such as Social Security Numbers, credit cards numbers, and banking information. This left only one percent of users most concerned about their email accounts, which if insecure could provide hackers with a treasure trove of personal information.
These and other figures in Dashlane’s study raise the question: Why has Heartbleed had such a limited impact on public awareness and behavior?
FUD & Media Sensationalism
One of the reasons that explains a majority of online users’ ignorance to Heartbleed is the lack of reliable and respected sources of news. Most media sources, explains Tyler Reguly, Manager, Security Research and Development at Tripwire, fall into two different camps: the doom and gloom camp and the “new media specialists” camp.
“The first always thinks that the sky is falling,” observes Reguly. “With every new security issue, it’s the end of the world. There’s no hope, and all is lost.”
Media outlets that embrace the “doom and gloom” mindset tend to produce sensationalized stories, which we as citizens of the information age have learned to tune out. Even when a serious story, such as Heartbleed, emerges, a prevailing aversion to media sensationalism prevents many users from paying much attention.
The second camp, on the other hand, involves “pseudo-journalists who report the ‘latest happenings on Twitter, Instagram and Facebook’ and share the newest Buzzfeed quiz of the day.” These reporters, in Reguly’s mind, are treated as technical specialists at various news organizations. They, therefore, frequently report on security-related issues even though they have no qualifications to comment on these stories.
“To watch one of these ‘new media specialists’ discuss Heartbleed, you would have thought you were only affected if you were an iPhone user,” explains Reguly.
However, a second and more fundamental reason for why many have not heard about Heartbleed is user perception.
“Your ordinary user isn’t concerned with what can happen but with what actually directly affects their daily lives,” notes Travis Smith, Security and Compliance Analyst at Tripwire.
This issue is further compounded by the fact that even in instances where a security vulnerability actually compromises users’ data, such as the Community Health Systems breach with respect to Heartbleed, it’s rare that a company actually discloses the technical details of the attack to the users, thereby only further limiting their understanding of security issues.
“Today, it’s up to the company to secure the servers, not the end users. This is a fine setup. However, as the end user has little control over the security of the service, there is little incentive for them to care how or when these services are compromised.”
Indeed, a user’s concerns with respect to their online experience is much simpler than understanding the security of the various products they use.
Irfahn Khimji, Senior Information Security Engineer at Tripwire, is well aware of this fact:
“An end user merely looks at the usability of the product without any care of the security impact. If it still works, why bother worrying about it?”
This mindset conceals a reality with which many professionals in the field of information security are forced to come to terms: in the minds of users, security is oftentimes too abstract a concept for them to understand.
“People can naturally think about and understand many aspects of physical security compromises from their daily lives, such as a burglar picking a lock or breaking a window to rob a home,” explains Craig Young, a Computer Security Researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT).
“However, when you talk about a hacker burglarizing a computer system, I think people tend to imagine someone sitting at a computer in some dark room wearing a ski mask.”
Unwilling or unable to consider security beyond these stereotypes, Heartbleed, Shellshock and POODLE, as well as the host of other vulnerabilities and breaches we have seen over the past year, blend together to create the false perception that users are powerless when it comes to their digital security.
“People are making the assumption that they will eventually get hacked no matter what, so to them, time spent ‘securing’ their digital world is nothing more than wasted time,” said Young.
“With this mentality, it makes no difference how hard you try to make users more aware of vulnerabilities since the information essentially goes in one ear and out the other.”
Smart Users or Smart Technology?
Many experts believe there is currently very little companies can do to educate users about vulnerabilities like Heartbleed. The onus is therefore on companies to develop creative solutions with respect to raising user awareness, such as an idea proposed by Khimji in which software enterprises could start implementing usage restrictions on outdated and vulnerable versions to get the attention of the end user.
“If they are unable to use the product unless they update, users may start to wonder why,” Khimji reasons.
However, other experts reject the idea of public education altogether. Young explains: “Instead of spending time educating the public on specific vulnerabilities, I think the technology community should be working toward the proliferation of technical solutions like multi-factor authentication as new vulnerabilities are discovered and exploited.”
2015 will undoubtedly see its fair share of security incidents and the discovery of new vulnerabilities. However, if Dashlane’s Heartbleed study, in conjunction with Tripwire’s expert comments, is any indication, we must come to grips with the reality that most users will likely never hear about any of them.
You can read Dashlane’s study on public awareness in full here.