Kevin Coleman is a senior fellow at SilverRhino and former chief strategist at Netscape. (File) / File
Last week the news media and virtually every cyber security web site and blog covered Heartbleed, the huge cyber security vulnerability. Bloomberg reported that the U.S. National Security Agency identified the critical flaw in the software about two years before it became public. According to Bloomberg, NSA exploited the vulnerability to collect cyber intelligence. In response, the Office of the Director of National Intelligence issued a statement saying that no government agency, including the NSA, was aware of Heartbleed before its public disclosure.
Letís face it, Heartbleed is a cyber spyís dream given how many systems were involved. One could see how the NSA could have made the decision not to disclose the vulnerability and to exploit it for intelligence collection in the name of national security. However, there is another critical aspect of this that has not been addressed
As the news broke, recommended action for computer users started to come out and in many cases was directly attached to the Heartbleed headline. The problem was much of it was wrong. Much of the coverage instructed users to immediately go out and change their passwords and many users did just that. Now it seems that following those instructions unfortunately gave the users a false sense of security. Unless the owner/operator of the web site or system accessed by the users had made modifications to address the vulnerability, the new account information could have been exfiltrated as well.
Even worse, the user may disclose additional personal information used in security questions that often are integrated in the process of the user resetting their password.
But wait, it even gets worse! Malicious web sites are offering purported information and tools to address the Heartbleed problem. If users go to one of those sites, their systems can get compromised.
There is no one central authority that the public can look to and equally as important trust to get timely, accurate and up-to-date information about cyber threats or attacks and instructions of what to do. As bad as Heartbleed is, it is not as bad as things could be. It would be a great idea to learn from this and put a central, trusted authoritative web site and phone hotline with recorded instructions in place where everyone could go to get timely and accurate information Ė before the really big one hits!