Dear Lifehacker, There seems to always be a new, threatening bug on the horizon that has the potential to break the internet. Last year is was Shellshock and before that it was Heartbleed. So far, the internet is still standing. Do I really need to be worried about all these bugs and vulnerabilities, or is this stuff tech companies need to care about? Can someone actually use these against me? Thanks, Security Sceptic
Dear Security Sceptic,
It does seem like every other day there's a new hack, some treasure trove of data has been exposed, or there's a new bug threatening to turn the tech world on its head. Just last week we brought you news of a new malware called XcodeGhost which had infected a number of apps on Apple’s App Store in China.
It's natural to get a little tired of hearing about vulnerabilities, especially when they keep coming and nothing seems to change. After all, we're told these problems are severe, but so often there's nothing we can do about them. You're right to be sceptical, but don't let that scepticism keep you from doing the right things to keep your data safe.
As for Shellshock and Heartbleed (and other similar vulnerabilities), we sat down with some computer security experts to separate fact from fiction, and help you understand what you should and shouldn't actually be concerned about.
Are These Vulnerabilities Really Such A Big Deal?
With headlines that say that Heartbleed and Shellshock can "break the internet", you couldn't be blamed for thinking the sky is falling. Everyone agrees these are serious problems, but the steps that end-users can take to protect themselves are fairly limited.
In the case of Heartbleed, the best advice was to wait for your favourite sites to patch themselves, then change your passwords. For Shellshock, you needed to patch your Mac or Linux computer, and then hope that everyone else — especially system administrators and engineers — did the same. While researchers say they have seen the effects of both exploits in the wild, it's not the case people are losing their computers or flooding tech support hotlines with calls about broken computers — not the way we saw back in the early 2000s when viruses made the evening news.
So does that mean you can just forget about them? Not quite. Most vulnerabilities that grab headlines are serious, and all of the experts we spoke to noted that. However, they also explained that doom and gloom headlines often have the opposite effect on people. They make them weary of internet security news instead of encouraging them to pay attention to it. Mark Nunnikhoven, vice president of cloud and emerging technologies at Trend Micro, explained both sides:
Shellshock is extremely serious. It merits 100% of the attention it's currently garnering in the public view. We will never have an accurate scope of the issue but Nicole Perlroth writing for the New York Times guesses that about 70% of the machines connected to the internet may be affected. That seems reasonable to me. Even with a bug this serious, some people have still managed to make hyperbolic claims about its impact. That doesn't do anyone any good. Sensationalising this very real issue polarizes the discussion needlessly and that leaves us all more exposed than we already are. Any time you have a complex issue, it's difficult to relate the details to a wider audience. Unfortunately, people respond to dramatic claims more often than to nuanced ones. This won't be the end of the internet but it is a very serious issue and one that needs to be addressed immediately.
Frederick Lane, author, consultant, and computer security expert, agrees. He explained that scary headlines generally don't help when end users can't do much about them, but when they're aimed at the right people, they may spur the right people into the right action:
I think that scary headlines are useful when they are aimed at system administrators and management, so that they will commit the time and resources to making sure these vulnerabilities DON'T reach consumers. However, we shouldn't be scaring the average PC user because there is very little (if anything) that they can do to fix these problems. All the headlines do for consumers is add to the existential angst that makes modern living so challenging. At a certain point, scary computer headlines just become background noise.
So bottom line: when you hear about these types of vulnerabilities, they're worth sitting up and paying attention to, especially if you work in IT, or are in a position to actually do something about it. If you can patch your own computer, you should. Beyond that, take the hyperbole with a grain of salt. The internet is robust and adaptable — it's unlikely one security issue or vulnerability will bring the whole thing to its knees.
Do Normal Computer Users Need To Worry About These Exploits?
With bugs like Shellshock and Heartbleed, all an end user can do is hope for the best and apply a patch when one is available. It may seem like a waste of time and energy to worry about it. However, you should at least keep an ear to the ground, says Lane.
After all, today's problem for system administrators is tomorrow's problem for home users:
I think that this helps to underscore the risks that are steadily accruing as we move towards an Internet of Things. Think about this: what if someone was able to gain access to the systems that control the remote shut-down devices used by repo guys (which were covered in a story by the New York Times a few days ago)? You could have thousands of cars suddenly shutting down all over the country. The really disturbing piece of the Bash vulnerability is that we don't even have a good sense of how many systems even use Bash, and many that do have no mechanism in place for software/firmware updates. Stories about Shellshock and Heartbleed are of course great opportunities to remind consumers about the steps that they should be taking ALL THE TIME to minimise the potential losses from a hostile attack: 1) install and update anti-malware; 2) back up important files; 3) double-check to make sure they have backed up important files; and 4) monitor your financial information and credit reports. Technology offers tremendous benefits to all of us, but the shiny devices impose certain responsibilities. As Heinlein said, "There ain't no such thing as a free lunch."
Peter Theobald, a computer forensics examiner, software designer and consultant, explained there's more to the picture than just desktop computers that everyday users should be concerned with. Firewalls, routers, NAS devices, even Linux-based embdded systems on smart thermostats and other household devices are potential targets for Shellshock (if they're connected to the internet directly, without a firewall — and even then, the firewall may be vulnerable). Every server running SSL was a target for Heartbleed:
Within one HOUR of Shellshock being published, there were reports of new malware scanning the Internet using the new vulnerability to compromise computers. Bash is used on Linux web servers, on Mac computers, on NAS storage devices, on routers and access points, on firewalls and many other devices. Apple and Linux distro makers have worked very quickly to issue patches to close these vulnerabilities. This will take care of the web servers and OS X computers. What concerns me more is all of the routers, firewalls and access points that will not be patched in a timely manner. How many people would even know how to patch their router? Keep your eye out for news about how router vendors will handle this. It may be the trigger that sets of an industry wide change in how consumer devices are maintained, perhaps with auto-updates coming from the manufacturers.
There's no doubt that these issues are serious, and can potentially have real effects on everyday people and the technology that we use. At the same time, don't lose sleep over it just yet. After all, few technologies are secure, and even fewer when they're connected to the internet. Don't be surprised if we see more Shellshocks and Heartbleeds in the coming months and years. However, it doesn't hurt to stay vigilant and to practice good computing hygiene. You don't want to learn how to update your router's firmware when there's a big vulnerability — these are useful skills to have beforehand.
Be Sceptical, But Don't Let That Keep You From Being Safe
All of our experts were quick to point out that these types of vulnerabilities are new in that they have broad reach and can have wide impact, but it's unusual that they don't require users to do very much aside from update their systems when they're told to. In contrast to years past, OEMs and smart device manufacturers now have the responsibility to provide patches, build update mechanisms into their products, and keep their systems secure if they expect the devices they sell to connect to the internet.
As technology evolves and gets more connected, the core technologies underneath those smart thermostats and smart watches will be applied in ways their original developers didn't consider. That's going to lead to more vulnerabilities exposed and more exploits in the wild. Lane explains:
At a more theoretical level, I will say that these types of stories reaffirm my growing belief that we have created systems that are so complex that we can never be sure they are completely secure. Put another way, the closer the complexity of systems we create emulate the complexity of "the real world," the more likely it is that we become hostages to fate. Since we created computers and the Internet, we cling to the illusion of control, but it is merely ephemeral. I'm not saying that we shouldn't try to prevent bad people from doing harm through software vulnerabilities (much like the struggle to combat cancer); I'm just saying we should be realistic about how perfectly secure we can actually be.
So at the end of the day, there's no doubt that these issues are serious, and they deserve your attention. However, do your own research and don't just read headlines designed to attract your attention and get you concerned about the latest security threat. It's easy to get fatigued when it seems like every week there's a new hack, more credit card numbers lost, and more passwords to reset, but things aren't about to change soon, and those hacks deserve at least enough attention to make sure your bases are covered and your data is protected.
Mark Nunnikhoven is Vice President of Cloud & Emerging Technologies at Trend Micro. Frederick Lane is an author, attorney, educational consultant, expert witness, and lecturer who has appeared on The Daily Show, CNN, NBC, ABC, CBS, the BBC, and MSNBC. He has written seven books, including most recently "Cybertraps for the Young." All of his books are available on Amazon or through his Web site. You can follow him on Twitter at @fsl3, or at Computer Forensics Digest. Peter Theobald is a Computer Forensics examiner, expert witness, software designer, consultant and lecturer. He is the co-chair of the American Bar Association's Section of Litigation Computer Forensics sub-committee. You can find him at TCForensics.com. All three offered their expertise for this article, and we thank them.
Got your own question you want to put to Lifehacker? Send it using our contact form.