Skip to content ↓ | Skip to navigation ↓

Today, I want to talk about some of the media hype related to the Heartbleed vulnerability. It’s important to first state that this is a critical vulnerability, one that both enterprises and consumers need to be aware of and, for which, patches MUST be applied. That said, the vulnerability has been overblown in several media channels and it’s worth stating the counterpoint to the hype that is out there.

Last week, everybody was jumping all over Heartbleed and I don’t expect the attention to go away anytime soon. The problem, though, was the response from mainstream media. News Outlets, Late Night Talk Show hosts, and Morning Shows were all discussing Heartbleed and relying on their “new media experts” to provide real details.

These are the people that find interesting Twitter posts and maintain the television shows’ Facebook page. They are not the people that should be providing security advice to consumers. The most popular comment I heard last week from these “experts” was “make sure you change your password”. There was plenty of other FUD about how mobile devices (because those are popular with consumers) were impacted in additional ways as well.

The facts are pretty straightforward:

  • All devices are equally impacted when interacting with vulnerable services or running vulnerable clients
  • Until this week, we hadn’t had confirmation that the leakage of private keys was even possible. Even though it is, it requires a large number of requests that any IDS/IPS should detect
  • There’s more risk in changing your password on a vulnerable site right now than there is in leaving your password alone until it is confirmed that the service is patched.

The third bullet point is, by far, the most important one. If a site is vulnerable, you are increasing the chances of someone seeing your password by potentially changing it while someone is actively dumping memory using this exploit. You should use a service like the LastPass Hearbleed checker to confirm if a service has patched before changing your password.

In the end, the leakage of a private key doesn’t greatly increase risk for the average home consumer. If you’re a regular user of public Wi-Fi (coffee shop, hotel, transit), then the risk is greatly increased but if you’re using your home computer on your own connection — or your phone’s data plan — the risk is minimized by quite a bit.

If you are using public Wi-Fi, be increasingly careful until you know every service you use is patched. The odds of people having stored packet captures of your interactions that they can go back and decrypt are incredibly unlikely.

Everyone talks about educating the user but part of user education puts the onus on the security industry to properly level set. If we cry wolf with every vulnerability, we’re simply doing end users a disservice. As I originally stated, this is a critical issue that must be fixed but for the average consumer the latest Flash and IE 0-days still pose a greater risk than Heartbleed.

Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • As a security instructor for all English speaking colleges and universities, I want to thank you for this article. It makes me sick to see some of the "talking heads" on television giving misinformation that millions of viewers are soaking up. Thank you!

  • Steve Stumpff

    A vulnerability that:

    1. Makes it so you can't trust any of your passwords AND
    2. Makes it so you can't trust any certificate you use for SSL/TSL

    is overblown?

    I find myself wishing I could get the last 5 minutes of my life back.

    • With respect, the author did first state that this is a "critical vulnerability" – his point was that the wrong people have been giving the wrong advice to the general public, which does not help our efforts to inform and educate.

  • Heartbleed over-hype is better than no hype at all. Think of the thousands of business owners that have read about this in the press and taken prompt action to identify and patch vulnerable systems. This simply wouldn't have happened if Heartbleed just ended up in some security vendor update bulletin somewhere.
    There's plenty of FUD in the media anyway, even without cyber security news – it's what gets an audience. I think it's a case of the cyber security industry not really understanding "media", rather than "media" not understanding cyber security. Let's face it, we as an industry don't get a huge amount of press and anything that raises awareness is good in my books.

    • Agreed – mainstream media is too obsessed with buzzwords and simple one line explanations – infosec does not (or should not) be confined to such minimalist restrictions. It is a complex field, as are the tactics of our adversaries.

<!-- -->