Heartbleed: what brands and publishers should know
For the past day and a half, the Internet has been abuzz about “Heartbleed,” a sinister-sounding security flaw that has rendered a massive chunk of the Web vulnerable to attack.
No less an authority than Bruce Schneier — a leading computer security expert, author and fellow at Harvard’s Berkman Center — wrote that the implications of Heartbleed are “catastrophic.” “On the scale of 1 to 10, this is an 11,” wrote Schneier, hardly a hand-wringing Cassandra.
Already a thousand explainer articles have been written about Heartbleed, which even has its own little logo. The flaw was only recently uncovered in OpenSSL, the standard encryption many sites and online services use to keep your username and password encrypted. At its disclosure, some 17 percent — or half a million — of the Internet’s secure web servers were believed to have been vulnerable to the attack.
In theory, a hacker can exploit the vulnerability without leaving a trace to access passwords, encrypted communications such as instant messages, and credit-card information. The implications for major publishers and online retailers is simply astonishing. Just changing a password is not necessarily going to help anything — here’s a fairly comprehensive list of passwords you should change (Facebook, Gmail), and those you don’t need to worry about (Amazon, PayPal).
Digiday spoke with David Chartier, CEO of security firm Codenomicon, about what brands and publishers have to worry about — and whether the press has gotten the Heartbleed story right so far. Excerpts:
What do big publishers and online retailers need to do here?
The key thing is if you have a Web presence, you need to find out if you’re using OpenSSL. It’s pretty simple: your IT department knows what they’re using. The good thing with this bug is the fix is pretty simple: upgrade to the new version with the patch and revoke your old encryption keys. Then get issued new encryption keys. If you don’t do that, the attackers theoretically still have your encryption key and are able to decrypt your traffic. Go through your vendor, who will issue you new keys. Once that’s done users can change their passwords.
Has anyone not done this or had any trouble doing it?
All the top Internet assets have already done this. They have processes in place to roll this out. They’re able to do this fairly quickly.
What if you’re a small online retailer without an IT department?
If you’re a small business, you might be better off shutting down — going offline — and don’t use it until you can get it confirmed from your service provider so you don’t have to worry about being hacked. At Codenomicon we only really deal with really large companies. All our clients seem to be on top of it. I’ve have people I know, friends running ecommerce sites, and they don’t know anything about anything. They need to contact whoever they’re getting their service from and ask them simple questions: are we using simple SSL? Have you upgraded?
It’s probably a good time to be a vendor providing these new encryption keys.
You can imagine the certificate providers are pretty busy these days. You have a huge chunk of the Internet asking for these certificates.
A lot of businesses can’t really afford to just go offline, though.
Those are really your two choices: Do the upgrade or turn the service off. The Canadian IRS closed their system. They needed to do quite a lot of work to do these upgrades to make sure no one was compromised. I think they took a prudent approach.
No one knew about this before last week. Are hackers having a field day right now?
It’s hard to say. I know a number of security firms have set up honeypots on the Internet to try to determine if there’s any activity out there. The challenge you have with this bug is that it doesn’t leave any forensic traces. After we hacked ourselves we couldn’t find any trace that we’ve been there. Unless somebody hacks a honeypot and the honeypot owner discloses that, it’s going to be very difficult to determine if it’s been exploited or not.
Has this been overblown, under-blown or appropriately-blown?
I say it’s an appropriate response given the severity of the threat. The Internet is a whole lot safer than it was a week ago thanks to the security community and the media.
So it’s now safe to buy things on Amazon and sign in to read the New York Times?
I don’t want to call out any individual websites, but I would say it’s pretty safe on Amazon.
Has the media gotten the story right?
I would say that a vast majority have gotten it pretty right. There’s been a lot of talk about how important it is you change your password. It is. But you have to do it at the right time. It doesn’t help to change it unless your SSL has been upgraded and you’ve been issued the certificate. Changing the password isn’t a fix in itself. But overall it’s been good reporting.
TikTok’s uncertain future: the issues marketers should (and shouldn’t) fret over
A TikTok ban would require U.S. lawmakers to prove that the short-form video app is a genuine national security risk. So far, that hasn’t happened.
Maybe Web3 isn’t as dead as it would seem, as agencies play with new data-generating models
Agencies are continuing to invest in Web3 technologies in new ways, from client activations to data management.
Why real estate company Windermere is adding influencers to its marketing mix and spending half of its ad budget on them
Windermere is working with Seattle-based agency PB& as well as the home-focused publication Domino to partner with influencers like design influencer Max Humphrey.
SponsoredHow critical data pillars will increase brands’ confidence in CTV
Mario Diez, CEO, Peer39 With every quarter, the balance of TV viewership slips away from the traditional linear model and more towards connected TV. Less than half of the adults in the U.S. subscribe to cable or satellite, and fewer than half of the households watched linear TV daily in the second half of 2022. […]
Digiday+ Research: Agencies’ attitudes on secondary social platforms have seen ups and downs (especially on Twitter)
Digiday+ Research surveyed over 100 agency professionals, and found that agency clients' approach to the channels categorized as "other social platforms" has been somewhat erratic over the last year.
Why DOOH is a big draw for startups and direct response marketers
As digital ad channels, like social and paid search, become saturated and data privacy gets more restricted, startups and small businesses turn to DOOH to boost brand awareness.