back to article Study: Users don't much care about Heartbleed hacking dangers

Despite dire warnings from security experts and a massive public awareness campaign, users are less aware of the Heartbleed flaw than other recent security threats. So say researchers with the Pew Research Center. According to a public survey of 1,501 people conducted by the company, less than one fifth feel they are well versed …

COMMENTS

This topic is closed for new posts.
Bronze badge

very overblown

Sorry but this whole heartbleed thing is so over hyped it's sad. A ton of websites run behind commercial load balancers which for the most part are not vulnerable. A ton more websites run on Windows and IIS which are not vulnerable, even more run on older versions of OpenSSL that are not vulnerable. Think about the likelihood that you will be a target and for most folks I'd wager a bunch the likelihood is quite low. Not only that but you have to get to do a MITM attack on the user(s) to get their passwords etc.

For the likes of the NSA etc who are mirroring tons of traffic ok, but they probably knew about this a long time ago. For most people this bug is a non issue.

I would put the latest IE threat recently published as far more significant(assuming it is not patched yet maybe it is I haven't checked), since a full what is it 60% of web users are using IE, most of which are vulnerable? How many ad networks out there are serving up malware?

The way this vulnerability was broadcast one might think every computer on the planet was going to get hacked, that just simply isn't true.

5
4
Bronze badge

Re: very overblown

>MITM attack on the user(s) to get their passwords etc.

If you get the server's private key and capture the users session maybe but if the passwords used by other uses is lurking around in the process' memory then you could take it from there.

2
0
Bronze badge

Re: very overblown

People aren't worried because there is little demonstrated risk. To become a victim of this flaw a criminal would have to capture login or other private details and that is mostly a game of chance; hitting the right 'server' at just the right time.

The perceived reality for most is, "if it does happen, it will probably happen to someone else", and that's how we all manage to sleep soundly at night in the face of a world which is full of everyday risks.

Heartbleed was a big story in the IT community for reasons beyond the risk posed to users.

3
1
Silver badge

Re: very overblown

That's the point isn't it? The Heartbleed bug is a SERVER problem. You average user does not run one, and cannot do anything about the server(s) he lives behind on the intarwebz. The one and only server a user cares about is the one connecting him to the internet, and that one is run by his ISP. It's up to the ISP to fix the problem, not the user, so why would said user care? Other than possibly making sure the ISP has taken action, in case of a tech-savvy user.

If you run a website? Same thing.. most people do not run their own servers, but rent a spot with a provider. Again, this puts the duty of plugging the hole with the provider, not the user, since the user will certainly not have access sufficient to do anything about the Heartbleed problem.

In the end the problem is not something a user, however tech-savvy, can do anything about and ultimately poses just about the same risk as your ISP routing your traffic through US servers... So why would a user care? At all?

The current IE bug is a lot nastier, but even then to the average user it's business as usual: There's a bug in Product [X] , automatic updates are on, patch will happen when it's fixed. Meanwhile the only inconvenience is that said user must maybe be a be more selective in his/her porn-browsing habits.

0
0
Silver badge

Re: very overblown

"People aren't worried because there is little demonstrated risk."

http://www.theregister.co.uk/2014/04/14/heartbleed_draws_blood_at_canadian_revenue/

Whether this was down to heartbleed or not, it has been attributed to it - seems like fairly sensitive information to me.

1
0
Bronze badge

Re: not something a user can do anything about

Users can check whether any server they have an account on has been vulnerable, and change their passwords in case they've been compromised.

0
0
Silver badge

Re: very overblown

That's the point isn't it? The Heartbleed bug is a SERVER problem.

No, it affects clients using vulnerable versions of OpenSSL also. A malicious server can use Heartbleed to probe client memory, possibly extracting non-SSL credentials such as username and password, or other sensitive data. Where client certificates are used (uncommon but not unheard of), the client's key could be exposed.

Earlier posts in this thread ("have to hit the server at the right time", etc) are equally ignorant. Successful compromises using Heartbleed are well-documented and not at all difficult to achieve.

Add to that the fact that the bug is readily apparent to any C programmer with secure-software training who watches the OpenSSL commit list, and that it went unpublished for so long, and it is indeed quite serious.

1
0
Silver badge

People don't have time to get worried

There are vast numbers of fields of expertise with experts telling me I must do stuff. I don't have time to take them all seriously.

Toyota tells me my car should have an oil change every 5000km be serviced every 10,000 km. If it is lucky it gets the oil checked and topped up every 10,000 km or so. If it sounds hbad, it gets attention.

The dentist tells me I need to floss every day.. Yeah right. I haven't even had a check up in 13 years and have not flossed in 20. If my teeth hurt I'll give them attention.

The doctor tells me I should get a check up every year. Ten years if they are lucky. If my appendix explodes, I'll give it attention.

And the house should be painted etc etc etc...

Computer users have had people yelling about security and viruses forever and very few people are actually impacted on a dialy basis. For the most part they are just considered to be snake oil salesmen selling them anti-virus products etc.

It seems that everything in our lives wants some attention, even the damn computer. People are behind in everything. Why should they take Heartbleed any more seriously than dozens of OMG-the-sky-is-falling scare stories from virus experts etc?

Perhaps Heartbleed really is bad, but until we hear of people having real damage - and not just some theory - most people will do nothing.

7
1
Silver badge

Re: People don't have time to get worried

I agree but I also realize that if there's no media screaming with vids of angry people, flaming computers, etc., most people ignore it. Given the lack of information in the popular press, I daresay most people aren't even aware of it.

Example: When the Target thing was first reported, I was standing in line at Target and the casher asked if I wanted to save 5% and get a RedCard, I politely declined and brought up the attack and what was taken. The casher and several people in line hadn't heard a word about it. Then again, if they get their news from the likes of People magazine, Oprah, or Farcebook.... understandable.

1
1
Bronze badge

Re: People don't have time to get worried

Most people really don't give a shit

1
0
Silver badge

Re: People don't have time to get worried

Never mind giving a ****, there's the problem of what Mr Average can do about this. There's no point changing passwords until all vulnerable servers have been patched. But Mr Average doesn't know whether the servers he logs into were vulnerable in the first place, he doesn't know when or if they're fixed. And if he's got to change all his passwords, they all get saved or written down somewhere.

And even after all that, look at the appalling security that some commercial companies apply to sensitive data. There's been a series of major security breaches that show companies have a cavalier attitude to customer data. So why would an average user worry too much about the remote possibility of being hacked, when the likes of Target, Neiman Marcus, TJX/TKMaxx are so remiss in their responsibilities as data custodians?

4
0
Anonymous Coward

Re: People don't have time to get worried

No, the Average Person doesn't care about flossing, dental checkups or car servicing, but to be frank the Average Person is a complete moron, with rotting teeth and a broken-down car blocking up the ring road when I'm trying to get home after work.

Don't forget, just because the Average Person doesn't care about it, doesn't mean it's not important.

1
1
ql
Bronze badge
IT Angle

OK, I'm afraid - now what?

"Those numbers, say researchers, indicate far less interest among the public in Heartbleed than other recent security threats."

This issue is right up there with out-of-control government surveillance and other issues over which we have little or no control. It's therefore human nature to ignore or route around what cannot be directly controlled, or we'll go mad with fear. Modern life has pushed us into the digital arena, much of which most people cannot understand.* So when something like heartbleed comes along, it is tough to consider people reacting less than some researcher requires as not caring.

* - Anecdote - in the mid-80s, as the only person in an office who had played on a Vic-20 and Speccie, I was responsible for a "computerisation" project using those new-fangled computer things, as the Board saw it. The CEO stood behind his secretary who was typing a letter on Wordstar and when he saw me said to me "That letter on the screen." "Yes?" "Where is it?" He could grasp the concept of a typewriter where you could physically see the process, but to this day, I don't know whether his question is the stupidest or the most profound thing I've ever heard anyone say about computers.

1
0

Re: OK, I'm afraid - now what?

Stupid and Profound. Truth is a three edged sword. (a Vorlon saying).

My Dad asked me something similar in the late 80's, I told him the document was buzzing around inside the machine as electrons, and we are just molecules buzzing around the machine of the universe.

He was later in charge of patient medical records computerisation at a large hospital.

1
0

Re: OK, I'm afraid - now what?

Mine asked me to help him feed a sheet of paper into the shredder, which I did. He then said actually he needed one extra copy.

1
0

Far too much hassle

For most people, this is way to much hassle. The vast majority of users have a handful of passwords that they use for all the sites they belong to. And they belong to far more than they can remember. Given this, unless the site sends them an email asking them to change their password (which they've been trained to ignore as a phishing attempt), who is going to bother?

Only people who have a password manager system are likely to maintain secure, unique passwords and even then it's an issue finding out which accounts to update.

I use Lastpass, and it's taken me an hour to update the sites they informed me needed to be changed. Probably a waste of time, but what's an hour?

0
0
Bronze badge
Paris Hilton

No but

It may give people the impression that security really is a server side issue ttoo and if so what are the server administrators doing to keep emails, logins, passwords, ... safe in the (ahem - cough - belch) era of "internet first, online-ism" so sought by guvmints near and far as it can reduce postage costs and keep wages and pensions high?

I mean, if all of the MITM hacking can be handled serverside why should we need to be so aware of it all off the time?

If malware goes viral isn't that an indication of server weaknesses rather than end user silliness?

0
0
Stop

Misinformation aplenty

Reading some of these posts, it seems there might be a lot of misinformation regarding the technical implications of Heartbleed. Without writing a huge article, here's a brief overview of critical points.

The flaw affects BOTH servers AND clients. The heartbeat command that is generated that causes the flaw is like a ping. The server can "ping" the client and the client can "ping" the server. Granted, a server would have to be specifically set up to send malicious heartbeat packets sniffing for data, although it's still possible. Embedded devices, like routers, WiFi access points, etc. are potentially affected because they can be running a "server" too (although this should make people take a good look as to whether you really need that WiFi access point interface to be accessible to the whole internet over port 443).

A MITM attack is NOT needed for a random third party to (potentially) obtain username/passwords that are sitting around in memory on a server. All that has to be done is for someone to attack a vulnerable server with forged heartbeat packets, then sift through the returned data. Would it be difficult to find usernames and passwords? Potentially, as the leaked data is whatever random data was stored in memory at the location that was copied. It could return useful information after only one request, or it could return useful information only after 10 millions requests. Now when it comes to sifting through that data, that's a whole other issue.

A MITM attack IS required for someone to pretend they are another site, IF they happen to get a copy of the server's private key. Because of that IF, this is why people are recommending revoking SSL certificates. Just like the usernames and passwords, they might get the private key easily, or they might have a really hard time getting it. One they get the key, they still have to get the end user to visit their site (to avoid certificate warnings, they would need something like DNS cache poisoning to redirect someone to a different IP while keeping the domain the same).

As an end user, you visit a lot more than just your "ISP's server". Any web site you visit over SSL poses a potential risk.

All in all, I still agree that the media over-sensationalized this quite a bit. Odds are most people will not be affected by it. Sure there will be some (especially considering known attacks started up shortly after the vulnerability was revealed), but most will not, simple because they first have to attack a server that vulnerable, then they have to hope the server leaks the credentials, then they have to actually be credentials for you.

Kudos to the majority of the staff out there that got things patches up quickly (I'm probably a little spoiled, as I keep the 50 or so servers I manage up-to-date on a regular basis, so a simple apt-get upgrade is easy. The SSL certificate revocations was a little bit more work).

2
0
Anonymous Coward

a smug bastard writes

my email people have told me to change my password, I haven't bothered because I think the chances of it being compromised are infinitesimal. I don't do anything stupid like internet banking so I don't really see the need for me to panic.

however I do understand that it's another nail in the twitching corpse of the already hopelessly compromised ssl and that that is a serious problem for those punting the ability to do dangerous things on the internet.

(with apologies for the mixed metaphor)

0
0
Unhappy

typical response - why would crims want to read my boring emails

This is the most popular response I get from people I know. They don't want scare stories, and can't be bothered with changing passwords for something they don't care enough about.

What we need is more actual anecdotes involving normal boring people ("celebs phone hacking, well they're asking for it, doesn't affect me")

0
0
Bronze badge
Paris Hilton

Who wants to hack an individual computer?

Apart from DDOS what good is that?

Far better to get in to server insecurities - that is where the luverly lucre is no?

Besides, for any malware to go viral either as an epidemic or pandemic it is essential that servers do the biggest workload.

End users might feel the pain but servers are the big distribution node in a distribution network yes?

0
0
Silver badge

Who wants to hack an individual computer?

This is the difference between "thinking like a normal person" and "thinking like a security professional". (Schneier has written a number of times on the subject.)

The likely average return on "hacking" some end-user's machine, in the sense we're talking about with Heartbleed, is indeed very small. (That's opposed to, say, an exploit that lets you recruit the machine into a DDOS army, as you noted.)

But the amortized cost is negligible. Say you run, oh, a porn site. Say you already have an HTTPS server set up (for taking credit card charges from your dimmer consumers), and so you already have a server certificate signed by a well-known CA and the infrastructure in place. So you redirect the front page of your unprotected site to the HTTPS site; users are not likely to notice.1

Then you add a little server-side Heartbleed probe module to your HTTPS server, and just let it harvest random data from clients. There's plenty of existing software that will trawl that collection for you, looking for interesting tidbits. Mostly you're likely to get the occasional username/password pair for some random other site the user has visited recently. That's fine. Add it to a database, and gradually you assemble a collection of username/password pairs that you can use to try against more-interesting sources, or more likely just sell to some blackhat.

The point is that it costs you almost nothing to do this, and maybe you get some cash from it. It's not about "hacking" any particular individual PC; it's about collecting possibly sensitive information from a lot of them, because such a collection is potentially valuable to someone else.

Spamming and phishing have very low average returns too. But they scale and they have extremely low cost.

1For performance reasons, you probably redirect them back to the unprotected site once you've probed them for Heartbleed, but that's an implementation detail.

1
0
Silver badge

How many accounts do you have, total? How many of those matter?

I'm guessing I probably have a dozen emails, 100-150 website accounts, two banking accounts, six or seven online gaming accounts, plus steam.

Out of those, I care about one email account, and it's on Windows; and both banking accounts are two-factor. Which means that the only imperiled account I care about is Steam.

Which, incidentally, is the ONLY account I've changed password on.

0
0
This topic is closed for new posts.

Forums