Last week the Internet was shaken to the core from a large security bug that was dubbed Heartbleed. The major websites, the national and local news reported on it and you probably received several emails about it. The answer to protect yourself from this bug was to tell all the users to change their password, but not until the website fixed the bug. After the website fixed the bug and you changed your password your account was protected. Sounds like a fine plan, websites did their due diligence and everyone is safe. Safe as long as each user took responsibility for their online accounts and followed the advice or remembered about it after the fact.
The Heartbleed bug should be a wake up call to individual websites as well as the entire industry. The resolution, relying on millions of users to do something with their user accounts and passwords under the umbrella of security, was awful. That solution is embarrassing, unprofessional, lazy, and exposes another major gap in the IT security mindset of these cloud services. I am not generalizing this concern because of a few slacker services but as a whole not one service I use that was impacted by Heartbleed had a proactive technical control in place.
You can run down the Heartbleed hit list and verify what I am about to detail.
The problem with how the Heartbleed bug was handled was that completely relied on a user to do all the legwork on protecting their account. Most website’s Terms and Conditions all of us click Agree to without reading usually have clauses in their that states the user cannot hold the website accountable if the user is not following best practices of security, password composition, etc… However, if there is an Internet wide security issue why are you putting all the work on the user. A large portion will ignore the email to change their password, change it too early before the bug is fixed, or forget to change it later on. All actions that leave the user exposed.
If I had a cloud service here’s what I would have in place to cover things like Heartbleed bugs, breaches, and any other issue that would require user’s to take extra precaution on their accounts. I would build an administrative function that would allow the service to force user’s to change their password the next time they logged in. Flag every account after the bug has been fixed then when the user’s login they must change the password before proceeding. Far more secure, less thinking and tracking on the individual user, and the user is happier knowing their cloud service has their security in mind.
Not one major site flagged a force password change. Why?
How many user account are out there that still have not gone in and changed their password? How many intended to but forgot?
So much focus on the service and not enough on basic identity security capabilities on behalf of the users.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.