Tens of millions of Americans have been affected by the theft of their personal information in the digital age.
Tens of millions of Americans have been affected by the theft of their personal information in the digital age.
In a recent major data breach at Target stores, numbers and names were taken from about 40 million customers, and many millions more suffered compromises in other personal information such as email addresses or phone numbers.
The victims trusted their retail stores, their credit and debit card issuers, their banks and such security measures as a four-digit personal identification numbers, to protect their information.
At least the credit and debit card system was somewhat understood by those who suffered in the Target scam, which siphoned data from the store card-swiping machines.
Who understands the vulnerability of OpenSSL?
This is a small piece of incredibly important software largely hidden from users. It protects encrypted data on websites and is in use around the world.
Remember that little padlock you saw when you typed in a credit card number or personal information when making a purchase online?
It meant “secure,” or safe, right?
Wrong.
Last week, it was discovered a bug crept into OpenSSL that could allow intruders to read encrypted data contained in memory, such as passwords or credit cards.
The bug was called “Heartbleed” and could allow attackers to eavesdrop on communications, steal data and even impersonate users and Web services. Computer security expert Bruce Schneier called it “catastrophic” and said on a scale of one to 10, “this is an 11.”
News about the bug sent people racing once again to protect themselves and change their passwords to avoid further damage or loss.
We’re tempted to say this ought to be a wake-up call, but we have already had so many wake-up calls.
To put it bluntly: As a country and as a society, we have come to depend on a vast, interconnected system; if one small part fails, the impact is widespread.
As noted in a forthcoming Atlantic Council report, the Internet was created to be based on trust, not security. Finances, news and social media, medical systems, universities, science, transportation, energy flows, national defense and almost anything else you can think of depend on it.
Yet, we continue to discover it is vulnerable to theft, intrusion and disruption on an appalling scale.
If a tiny piece of malware could steal millions of credit card numbers at Target, or if a bug could make vulnerable the encryption offered by OpenSSL, then what should we think about whether it is safe or wise to control the electric grid via the Internet?
We are living in an age of growing danger but reacting with complacency. The administration unveiled a useful initiative Thursday, promising that sharing cyberthreat information among companies would not bring on antitrust liability. But this, and President Obama’s other measures, including his voluntary cybersecurity framework, represent only what is doable given a continued lack of a consensus in Congress and a failure in the private sector to take all threats more seriously.
They are timid measures in the face of an epic heartburn that will be costly for us all.
— The Washington Post